University of Southern California Dissertations and Theses

Assume-guarantee contracts for assured cyber-physical system design under uncertainty

(USC Thesis Other)

Assume-guarantee contracts for assured cyber-physical system design under uncertainty

PDF

Download

Open document

Flip pages

Download a page range

Download transcript

Copy asset link

Request this asset

Transcript (if available)

Content ASSUME-GUARANTEE CONTRACTS FOR ASSURED CYBER-PHYSICAL SYSTEM DESIGN
UNDER UNCERTAINTY
by
Chanwook Oh
A Dissertation Presented to the
FACULTY OF THE USC GRADUATE SCHOOL
UNIVERSITY OF SOUTHERN CALIFORNIA
In Partial Fulfillment of the
Requirements for the Degree
DOCTOR OF PHILOSOPHY
(COMPUTER ENGINEERING)
August 2024
Copyright 2024 Chanwook Oh

Acknowledgements
Firstly, I would like to express my sincerest gratitude to my advisor, Professor Pierluigi Nuzzo. His expertise, feedback, and support have been the most helpful assets for completing this dissertation. His
dedication and ability to challenge and inspire have shaped my academic journey at University of Southern California. He encouraged me to explore new ideas and was kind enough to patiently wait and support
my academic growth. I am deeply thankful for his mentorship and for the countless hours he has invested
in my development, both as a scholar and as a person.
I extend my thanks to the members of my qualification exam and dissertation committee: Professor
Rahul Jain, Professor Chao Wang, Professor Ashutosh Nayyar, and Professor Peter Bereel. Their valuable
insights, constructive critiques, and stimulating questions have been crucial in refining this dissertation. I
am grateful for their time, effort, and dedication in supporting my academic endeavors.
During my academic journey, I was fortunate to collaborate with the brightest minds from both
academia and industry: Matthew Low, Yifeng Xiao, Christopher Leet, Professor Michele Lora, Professor Eunsuk Kang, Professor Zamira Daw, Dr. Isaac Amundson, and Dr. Timothy Wang. Their expertise
and collaborative spirit have enriched my research experience, and I deeply appreciate their help along
the way.
Next, I wish to thank Yinghua Hu and Subhajit Chowdhury, who embarked on this journey with me
as fellow novices in academic research. Camaraderie and shared experiences with them have made this
journey more enjoyable. I was also fortunate to meet my two dear friends, Thomas Choi and Hyunuk
ii

Chae, in Los Angeles. Our shared culture and language, along with countless hours of conversations on
both serious and silly topics, have brought joy to my life as a graduate student. My friendship with all of
them is something I wish to cherish for the rest of my life.
Lastly, I would like to thank my dearest and kindest family: my mother, Minhwa Lee, my father,
Philseok Oh, and my sister, Doeun Oh. I also extend my gratitude to my relatives: my grandparents,
aunts, uncles, and cousins, who have always believed in my potential. For everything I have ever achieved
and will achieve in my life, their unwavering support and love have been the foundation. Although we
were not always close by, their presence in my life means more to me than any words can express. I
dedicate this dissertation to my beloved family.
iii

Table of Contents
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Challenges in Design and Assurance of Modern Cyber-Physical Systems . . . . . . . . . . 1
1.1.1 Capturing and Managing Heterogeneous Requirements . . . . . . . . . . . . . . . 2
1.1.2 Managing the Dependencies Between Design Decisions . . . . . . . . . . . . . . . 3
1.1.3 Capturing and Dealing with Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.4 Dealing with Intelligent Components in Cyber-Physical Systems . . . . . . . . . . 5
1.1.5 Certification Standards for Assurance of Emerging Cyber-Physical Systems . . . . 5
1.2 Efforts Towards Design and Assurance of Cyber-Physical Systems . . . . . . . . . . . . . . 6
1.2.1 Design and Verification of Cyber-Physical Systems . . . . . . . . . . . . . . . . . . 7
1.2.1.1 Formally Capturing System Requirements Under Uncertainty . . . . . . 7
1.2.1.2 Formulating and Solving System Design, Verification, and Control
Synthesis Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.2 Assurance of Cyber-Physical Systems . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.2.1 Formalizing and Synthesizing Assurance Arguments . . . . . . . . . . . 10
1.2.2.2 Measuring the Confidence of Assurance Arguments . . . . . . . . . . . . 11
1.2.3 Summary of the Main Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 2: Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2 Assume/Guarantee (A/G) Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.1 Components and Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.1.1 Contract Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.2 A/G Contracts for Design and Verification of Cyber-Physical Systems . . . . . . . 17
2.2.3 A/G Contracts for Hierarchical Design and Verification of Cyber-Physical Systems:
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.4 A/G Contracts for Assurance of Cyber-Physical Systems . . . . . . . . . . . . . . . 20
2.3 Formalisms for Capturing System Requirements . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3.1 Signal Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
iv

2.3.1.1 Syntax of Signal Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . 21
2.3.1.2 Semantics of Signal Temporal Logic . . . . . . . . . . . . . . . . . . . . . 22
2.3.2 Stochastic Signal Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.3.2.1 Syntax of Stochastic Signal Temporal Logic . . . . . . . . . . . . . . . . . 23
2.3.2.2 Semantics of Stochastic Signal Temporal Logic . . . . . . . . . . . . . . . 24
Chapter 3: Reward Contracts for Cyber-Physical System Design With Objectives . . . . . . . . . . 25
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.3 Motivating Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.4 Dynamical System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.5 Reward Assume-Guarantee Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.6 Verification and Synthesis with STL Reward Contracts: Problem Formulation . . . . . . . . 38
3.7 Verification and Synthesis with STL Reward Contracts: Algorithms . . . . . . . . . . . . . 39
3.7.1 Mixed Integer Linear Program Encoding of Bounded Signal Temporal Logic Formulas 40
3.7.1.1 System Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.7.1.2 Signal Temporal Logic Constraints . . . . . . . . . . . . . . . . . . . . . 40
3.7.2 Contract-Based Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.7.3 Contract-Based Synthesis for Multi-Component Systems . . . . . . . . . . . . . . . 43
3.8 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.8.1 Contract-Based Verification for the Motivating Example . . . . . . . . . . . . . . . 46
3.8.2 Contract-Based Synthesis for a Fleet of Autonomous Vehicles . . . . . . . . . . . . 48
3.8.2.1 Intersection Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.8.2.2 Highway and Highway Merging Scenarios . . . . . . . . . . . . . . . . . 50
3.8.2.3 Results and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.9 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Chapter 4: Quantitative Design of Cyber-Physical Systems Under Uncertainties . . . . . . . . . . . 56
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.2 Backgrounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.2.1 Discrete-Time Stochastic Control System . . . . . . . . . . . . . . . . . . . . . . . . 58
4.2.2 Bi-Level Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.2.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.3 Quantitative Reasoning with StSTL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.3.1 Robustness Semantics of StSTL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.3.2 Deterministic Encoding of Robust StSTL Satisfaction . . . . . . . . . . . . . . . . . 63
4.3.3 Parametric Stochastic Signal Temporal Logic . . . . . . . . . . . . . . . . . . . . . 64
4.4 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.5 Deterministic Encoding of StSTL Satisfaction . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.6 Robust Verification and Parameter Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.7 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.7.1 Multi-Sensor Perception System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.7.2 Adaptive Cruise Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.8 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Chapter 5: Stochastic Contracts for Assurance of Cyber-Physical Systems . . . . . . . . . . . . . . 83
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.2 Backgrounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
v

5.2.1 Assurance Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
5.2.2 Bayesian Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.2.3 Confirmation Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5.3 An Overview of AACE: Automatic Assurance Case Environment . . . . . . . . . . . . . . . 88
5.4 AC Pattern Formalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.4.1 Hierarchical Contract Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.4.2 Stochastic Propositional Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.5 Confidence Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.5.0.1 Confidence Pattern Templates . . . . . . . . . . . . . . . . . . . . . . . . 93
5.5.0.2 Applying Pearl’s Method for Confidence Computation . . . . . . . . . . 95
5.6 AC Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.7 AC Selection and Confidence Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.7.1 Selecting AC Candidates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.7.2 Assessing AC Candidates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.7.2.1 Discretizing Confidence via Confirmation Measures . . . . . . . . . . . . 104
5.8 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.8.1 Software Correctness Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.8.2 Scalable Assurance for Autonomous Driving Systems . . . . . . . . . . . . . . . . . 108
5.8.3 Advanced Fail Safe Module of ArduPilot . . . . . . . . . . . . . . . . . . . . . . . . 111
5.8.4 Security of an Industrial Aerospace System . . . . . . . . . . . . . . . . . . . . . . 111
5.8.5 AACE in Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.8.5.1 Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.8.5.2 Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
5.8.5.3 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.9 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Chapter 6: Conclusions and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
6.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.2.1 Reasoning about Stochastic Systems With Non-Gaussian Distributions . . . . . . . 117
6.2.2 Investigating Adaptive Partition Mechanisms . . . . . . . . . . . . . . . . . . . . . 118
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
vi

List of Tables
3.1 Rewards R1 for M1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2 Rewards R2 for M2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.3 Rewards R3 for M1 × M2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.4 Experimental results of all scenarios. Scenario Terminated indicates the termination of the
algorithm 3 due to a crash between the vehicles in the simulation. . . . . . . . . . . . . . . 52
4.1 Execution time of parametric refinement for the multi-sensor perception system. When the
optimal parameters could not be found before reaching the maximum number of partitions, the
execution time is marked with ∗. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.2 Results from our approach and 105
simulation runs. . . . . . . . . . . . . . . . . . . . . . . . . 79
5.1 Results for the case study on software correctness. . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.2 Performance of the AC generation framework for the ArduCopter software and an
industrial-level aerospace system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
vii

List of Figures
1.1 Overview of this dissertation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1 Design, Verification, and Synthesis using A/G contracts. . . . . . . . . . . . . . . . . . . . 18
2.2 Anatomy of hierarchical system design using A/G contracts. . . . . . . . . . . . . . . . . . 19
3.1 Connection of Components M1 and M2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.2 Feasible routes for the intersection, highway, and highway merging scenarios. . . . . . . . 53
3.3 Intersection scenario for four vehicles without cooperation (left) and with cooperation
(right). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.4 Highway scenario for four vehicles without cooperation (top) and with cooperation
(bottom). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.5 Highway merging scenario for four vehicles without cooperation (top) and with
cooperation (bottom). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.1 Robustness estimate ρ and predicate robustness estimate ρ
′
for the predicate P{v ≤ 0} ≥ p = 0.84
shown on the cumulative distribution function (cdf) Fv of v, where v ∼ N(−2, 1). ρ0 = P{v ≤
0} − 0.84 ≈ 0.14 and ρ
′
0 = F
−1
v
(0.84 + ρ0) − F
−1
v
(0.84) ≈ 1 where F
−1
v
is the inverse cdf of v. . 63
4.2 Relationships between qualitative and quantitative satisfaction of Stochastic Signal Temporal
Logic (StSTL) atomic predicates (APs) and their deterministic encodings. . . . . . . . . . . . . . . 64
4.3 Overview of the proposed framework for finding an optimal set of parameter values for a stochastic
system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.4 Design examined in the case studies, including a multi-sensor perception system Mper with N
fixed sensors and L unknown sensors, and an adaptive cruise control (ACC) system Macc with
safety and comfort requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
viii

4.5 Results for the parameter synthesis problem under refinement NN
i=1 Ci ⊗ CN+1 (p) ⊗ CN+2 ⪯ C
with Nmax = 200. Each figure reports on the horizontal axis the confidence level p of the
unspecified sensor, and the standard deviation of the noise σ of the unspecified sensor on the
vertical axis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.6 Parameter synthesis results for Csaf e (left) and Ccomf (right). . . . . . . . . . . . . . . . . . . . 82
5.1 Overview of the AC generation framework with a summary of output candidates. . . . . . 89
5.2 AC pattern for P2 in Figure 5.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.3 Confidence pattern for testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.4 Confidence pattern for formal method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.5 AC pattern library used in the running example. Claims are represented as a contract C. . 97
5.6 Generated AC based on the AC pattern library in Figure 5.5. Dotted boxes highlight
the instantiated patterns. Confidence values when all evidence items are available
are shown in green, while red values indicate confidence with missing evidence for
testsExerciseRobustness(s
′
, r′
) (“Tests exercise robustness of the system s
′ with
respect to the requirement r
′
”) where s
′
is the system and r
′
is the requirement of interest. 100
5.7 Simplified ACs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.8 HSCN for the correctness of a software module and table for classifying confidence levels. . . . . . 105
5.9 Confidence network for C1 and C2 of N4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.10 A single BN used to reason about the confidence in the argument of Figure 5.8. . . . . . . . . . . 106
5.11 HSCN for an autonomous vehicle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.12 Execution times for validation and confidence assessment using ARACHNE and a single-BN
approach when the HSCN is expanded horizontally (a) or vertically (b). Runtime performance of
ARACHNE for horizontally-expanded and vertically-expanded HSCNs (c). . . . . . . . . . . . . . 109
5.13 Compact representation of AC candidates for arguing the security of the ArduCopter
software in HCN form. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
ix

Abstract
Cyber-physical systems (CPSs) are integration of computation and control with physical processes of different nature via sensing and actuation platforms. As CPSs increasingly perform sophisticated, missioncritical tasks previously carried out by humans, a major challenge in their design is to ensure that they
execute the desired tasks while adhering to stringent safety and dependability requirements in uncertain
and unpredictable environments.
This dissertation addresses this challenge by proposing novel specification, verification, and design
methods using assume-guarantee (A/G) contracts. Contracts are a specification formalism that allows distinguishing between the behaviors a component promises (guarantees) and the ones it expects from the
environment (assumptions). By virtue of their rigorous algebra, contracts enable scalable, modular reasoning about a system’s behaviors via abstraction and decomposition. To date, however, A/G contract
frameworks have primarily been centered on discrete models and Boolean, qualitative notions of satisfaction.
In this dissertation, we propose two extensions of the existing contract frameworks to support continuous and hybrid system models as well as robust, quantitative notions of satisfaction and refinement in the
presence of uncertainty. We first introduce reward contracts, which enable capturing the preferred behaviors of an agent (objectives) in addition to its admissible behaviors (assumptions and guarantees). We use
x

signal temporal logic to express contract assumptions and guarantees and provide effective optimizationbased encodings of contract-based verification and synthesis problems for both cooperative and noncooperative multi-agent settings. We further introduce stochastic contracts, leveraging stochastic signal
temporal logic to enable compositional reasoning in the presence of uncertainty. We present quantitative
notions of contract satisfaction and contract refinement, investigate formulations of robust verification
and design space exploration problems with stochastic contracts as bi-level optimization problems, and
provide effective solution strategies for a class of stochastic systems. Finally, we show how contracts can
facilitate the manual and error-prone task of checking system compliance with regulatory standards and
system requirements. We present a contract-based method for the automated generation and evaluation
of assurance arguments about system correctness and dependability. We formalize an assurance argument
as a network of interconnected stochastic contracts and provide a coordinated approach that combines
logic and Bayesian reasoning to assess its logical validity and the associated risk. Overall, the proposed
extensions show how contracts can serve as a formal foundation for high-assurance design as well as rapid,
continuous certification of CPSs.
xi

Chapter 1
Introduction
This chapter provides the motivation behind the work of this dissertation and an overview of the main
contributions. We first discuss the challenges we face in the design and assurance of cyber-physical systems. Subsequently, we provide an overview of the technical contributions introduced by this dissertation
to address these challenges. Finally, we provide an outline of the organization of this dissertation.
1.1 Challenges in Design and Assurance of Modern Cyber-Physical
Systems
Cyber-physical systems (CPSs) are engineered systems that consist of cyber components, e.g., computing,
control, and networking components, that are tightly combined with physical processes, e.g., mechanical,
electrical, and chemical processes. As also observed by the National Science Foundation (NSF), they encompass a wide array of application domains, including agriculture, aeronautics, civil infrastructure, energy,
environment monitoring, healthcare, personalized medicine, manufacturing, and transportation [91]. Enabled by the underlying technical breakthroughs in hardware and software components, modern CPSs are
characterized by their complexity, heterogeneity, connectivity, autonomy, adaptability, to name a few [90].
Modern CPSs are complex since they are composed of multiple heterogeneous sub-systems that are connected and communicating to each other [153]. Some CPS applications, such as self-driving vehicles, can
1

independently make decisions without human intervention and adapt to the dynamic environment [45]
as well. Yet, ensuring safety and security in CPS designs remains a formidable challenge, especially in
uncertain and unpredictable environments.
The recent trend of integrating artificial intelligence (AI) and machine learning (ML) with CPSs has
enabled many autonomous functionalities. However, the tools and methodologies for providing formal
assurances regarding safety and security properties of CPSs are still in their infancy, which has led to the
deployments of inadequately assured CPSs into the market. For example, 663 collisions since 2014 [24],
and 2,676 and 8,216 disengagements∗
in 2021 and 2022, respectively, were reported for the self-driving
vehicles, a prime example of a safety-critical CPS, in the state of California only [25].
Disturbed by these recent incidents and the lack of safety and security guarantees from CPSs, many
people, including the regulatory authorities, and the general public, still remain skeptical about the trustworthiness of CPSs. For example, a growing percentage of people are questioning the trustworthiness of
CPSs, exemplified by the 68% of Americans who expressed fear of self-driving cars in 2023, up from 55%
in 2022. [95]. In light of these current challenges, this dissertation aims to address two fundamental questions: (1) Can we design trustworthy CPSs? and (2) Can we convince system engineers, regulatory authorities,
and the general public about the trustworthiness of CPSs?
In the rest of this section, we identify and detail the challenges in the design and assurance of modern
CPSs, motivating the contributions made in this dissertation.
1.1.1 Capturing and Managing Heterogeneous Requirements
Often regarded as one of the most important steps in the system design process, requirement engineering
is a process of specifying, analyzing, and maintaining requirements in designing engineering artifacts.
System requirements intend to capture the diverse needs of multiple internal or external stakeholders, such
∗Deactivation of the autonomous mode when a failure of the autonomous technology is detected or when the safe operation
of the vehicle requires that the autonomous vehicle test driver disengage the autonomous mode and take immediate manual
control of the vehicle.
2

as customers, project managers, component suppliers, and regulatory agencies. However, the imprecise
and ambiguous definitions of system requirements at the inception of the system design can result in
the failures of CPSs later in the system development cycle, leading to a prolonged product development
timeline. Furthermore, these heterogeneous requirements are occasionally passed around from one team to
another, e.g., a company (project team) to another company (project team) or a regulatory agency, leading
to instability and misinterpretations. Across various application domains, it has been observed that a
significant proportion of errors stem from imprecise, incomplete, or infeasible requirements, amounting
to up to more than 50% of all errors [98]. Moreover, the number of heterogeneous requirements from
numerous stakeholders has recently increased, particularly for the safety and security-critical CPSs that
should execute an unprecedented number of tasks while adhering to strict regulations.
Requirements may be conflicting, meaning some requirements cannot be satisfied simultaneously. For
example, item 221 of Singapore’s final theory of driving [130] suggests keeping a safe gap of one meter
when passing by a parked vehicle. In contrast, item 52 of Singapore’s basic theory of driving [129] prohibits
crossing a solid double white lane. As a result, when encountering a vehicle that is improperly parked in a
lane with a solid double white lane, an autonomous vehicle may need to violate either of these rules unless
the lane is wide enough to accommodate two cars with a buffer of one meter laterally. Thus, it is of utmost
importance to analyze and manage, i.e., delete, add, modify, or prioritize these requirements such that no
requirements are violated when a CPS is deployed.
1.1.2 Managing the Dependencies Between Design Decisions
Although individual subsystems might be well comprehended by system designers, their combination can
lead to emergent behaviors [28], making it particularly challenging to identify these behaviors or design
bugs that result from the interaction between subsystems [10]. The continually growing complexity and
the number of functionalities integrated into CPSs has led to a significant expansion of the design space.
3

Each dimension of the design space often requires a design choice among a finite number of options, e.g.,
selecting a component from a library of components, but also from an infinite number of options, e.g.,
choosing a real-valued control parameter within a certain interval.
Moreover, these dimensions are rarely independent; a decision made in one of the aspects of the system
has a series of repercussions for the other aspects. For instance, consider a scenario where a decision is
made to install a specific radar sensor for measuring the distance between a vehicle and the one in front of
it. This decision not only impacts the control strategy, since the strategy relies on the data from the radar
sensor, but also the system’s energy consumption, as running the specific radar sensor might require more
energy consumption than the other sensors.
1.1.3 Capturing and Dealing with Uncertainty
CPSs are naturally subject to the uncertainty that emanates from various sources, including noise and disturbances within the system, the intrinsically dynamic nature of the environment in which these systems
operate, and sometimes, the adversarial nature of the surroundings.
• Noise and Disturbances: In many CPS applications, inherent noise or disturbances can introduce
unpredictability and imprecision. For instance, sensor measurements might be affected by noise, and
stochastic forces acting on the actuation system can create disturbances that need to be accounted
for in the design and operation of the system.
• Dynamic Environments: The environment in which CPSs are deployed may be highly dynamic,
meaning that the external conditions can change rapidly and unpredictably. Consider self-driving
vehicles. Roads and traffic conditions are continuously changing for them, and they must adapt to
these dynamic changes while guaranteeing safety of the passengers.
4

• Adversarial Settings: In some instances, CPSs may operate in environments where they face adversarial behaviors. For example, a vehicle may face sensor spoofing where fake data is injected to
the sensor readings to cause the vehicle to incorrectly estimate its states and take dangerous actions.
In such settings, ensuring the safety and security of CPSs becomes even more challenging.
Dealing with uncertainty is a major challenge in the design and operation of CPSs. Unlike traditional
engineered systems with static operational contexts, modern CPSs need to be able to make decisions and
take actions that are robust in the face of uncertainty, which often requires advanced techniques in modeling, control, and decision-making. The first step in addressing these challenges would be precisely capturing the system requirements under uncertainty. However, formally specifying and reasoning about
probabilistic requirements, such as “the distance between a vehicle and the one in front of it should always
be larger than or equal to 10 m with probability 99%”, is still largely undeveloped.
1.1.4 Dealing with Intelligent Components in Cyber-Physical Systems
Modern CPSs such as multi-agent systems (MASs) consist of multiple intelligent components (or agents),
often enabled by AI. These agents, each possessing a degree of autonomy, may be driven by different
intentions to maximize their own rewards. In MASs, these agents engage in intricate interactions, including
cooperation, where agents align their efforts to accomplish their goals, and the other marked by noncooperation, where agents may act competitively to realize their intentions.
1.1.5 Certification Standards for Assurance of Emerging Cyber-Physical Systems
There is an absence of a universally accepted standard or a uniform set of assurance activities that can
effectively and comprehensively vet for the correctness and reliability of modern CPSs. Instead, we have
domain-dependent and often system-specific regulatory standards and assurance procedures, such as DO178C [119] in the aerospace industry and ISO-26262 [136] in the automotive industry. These standards
5

Design Verification &
Testing
Assurance Case
Generation
Assurance Case
Assessment
Chapters 3 and 4 Chapter 5
Figure 1.1: Overview of this dissertation.
and procedures have been crafted and tailored to meet the unique demands and intricacies of individual
CPS applications and sectors. Thus, it is hard to generalize these for the emerging CPSs. The absence of
a standardized and widely accepted assurance framework can impede the timely introduction of new CPS
products into the market, as each product may require new standards and time for running the extensive
verification and validation procedures prescribed in these new standards.
1.2 Efforts Towards Design and Assurance of Cyber-Physical Systems
Reflecting on the current challenges in design and assurance of CPSs, this dissertation suggests improvements that span the system development cycle, visualized in Figure 1.1. This dissertation provides a formal
foundation for a compositional and hierarchical design of CPSs under uncertainty. We leverage formal
temporal logic specifications to precisely define system requirements and assurance arguments as a collection of interrelated and interconnected assume-guarantee (A/G) contracts in both deterministic and
non-deterministic settings (Chapter 3-5). We provide methodologies for formulating and solving system
design, verification, and control synthesis problems using mixed integer programming (MIP) (Chapter 3
and 4). Finally, we rigorously synthesize and validate assurance arguments’ logical correctness, and quantify their strength, using an approach that combines logic and Bayesian reasoning (Chapter 5). In the
remainder of this section, we provide a concise survey of related works, highlighting distinctions between
6

these works and the approaches proposed in this dissertation. We conclude this section by summarizing
the main contributions of this dissertation.
1.2.1 Design and Verification of Cyber-Physical Systems
1.2.1.1 Formally Capturing System Requirements Under Uncertainty
Over the years, several approaches have been proposed to specify the desired behavior of a CPS using
a logic specification language with temporal modality, e.g., Linear Temporal Logic (LTL) [115]. While
LTL enables compactly expressing properties of Boolean-valued signals and behaviors of systems, Signal
Temporal Logic (STL) could capture wider class of properties including real-valued signals and behaviors
defined over dense time [84]. Moreoever, STL could naturally admit the quantitative semantics which
provide the margin by which a specification is satisfied, in addition to the yes-or-no answer.
However, logic specification languages such as LTL and STL fall short of accurately capturing the behaviors of CPS that are subject to uncertainty, e.g., due to the variability in the system modeling, noises,
or communication reliability. A few specification languages [122, 75, 79, 100, 78, 82] have been proposed
to capture probabilistic behaviors of CPS under uncertainty for design and verification. Stochastic signal
temporal logic (StSTL) [100] extended STL [48] to enable the expression of probabilistic temporal properties of real-valued stochastic systems. Robust semantics were formulated for Stochastic Temporal Logic
(StTL) [78], which has similar expressiveness as StSTL, to capture margins of satisfaction in terms of probability values and predicate values. Risk STL (RiSTL) has also been proposed to explicitly incorporate risk
metrics into the probabilistic STL syntax [82].
In this dissertation, we leverage StSTL and introduce quantitative semantics in terms of a robustness
estimate, capable of quantifying the degree of satisfaction of an StSTL formula [105]. Specifically, we
introduce a concept called the robustness estimate to reason about the robust satisfaction of probabilistic
temporal constraints. Moreover, we show that it can be mapped to another estimate, termed predicate
7

robustness estimate, which allows translating often intractable probabilistic constraints into more tractable,
deterministic constraints based on statistical measures such as expectations and variances of the system
variables.
1.2.1.2 Formulating and Solving System Design, Verification, and Control Synthesis Problems
LTL has been widely adopted for design and verification of CPS. The solution for the LTL satisfaction problem can usually be found by abstracting the system’s states as a discrete transition system and finding a
trace (or a counterexample) of the transition system which violates the LTL formula. If a counterexample
could not be found, the LTL formula is considered satisfied. The complexity of this satisfiability problem is either NP-complete or PSPACE-complete depending on the operators used in the LTL formula of
interest [132]. For compositionality of the design and verification procedure, a few computer-aided frameworks utilizing A/G contracts, for instance, CHASE (Contract-based Heterogeneous Analysis and System
Exploration) [96], were introduced to aid design and verification of systems under LTL specifications.
STL has also been widely used to formally specify the CPS design tasks. To synthesize optimal control
policies of a CPS subject to an STL formula, model predictive control (MPC) schemes [26] were utilized [117,
81]. With the assumptions that a discrete-time linear approximation of a system model is available, the
satisfaction of an STL formula could be encoded as a mixed integer linear program (MILP) [53, 118, 117,
83] by extending the Bounded Model Checking (BMC) paradigm for finite discrete systems.
In the presence of exogenous uncertainty that is upper and lower-bounded, a Counter Example-Guided
Inductive Synthesis (CEGIS) scheme was utilized for synthesizing reactive controllers capable of responding to finite [53, 118] or infinite (continuous) [141] number of uncertain environment behaviors, while
satisfying an STL formula. On the other hand, several approaches utilizing stochastic logic formalisms
were proposed to solve design and verification problems, aiming to establish whether a system, or a class
of systems, satisfies a certain property with high probability by verifying, for example, that a stochastic
8

system satisfies a stochastic requirement. Nuzzo et al. [100] proposed an A/G contract-based framework
which utilizes StSTL for specifying the system requirements. For classes of stochastic systems, an approach
leveraging the MILP encoding of the StSTL satisfaction problems was introduced for solving design and
verification tasks in stochastic settings. Lindemann et al. [82] took a similar approach by first translating a
RiSTL into STL formulas, and then encoding those STL formulas into a set of deterministic mixed-integer
constraints. The encoding was then used for synthesizing a control trajectory that robustly circumvents
probabilistic risks.
In this dissertation, we propose two extensions of the existing contract frameworks to support continuous and hybrid system models as well as robust, quantitative notions of satisfaction and refinement
in the presence of uncertainty. We first introduce reward contracts, which capture an agent’s preferred
behaviors (objectives) and its admissible behaviors (assumptions and guarantees) [104]. We use STL to
express contract assumptions and guarantees. We also provide effective optimization-based encodings
of contract-based verification and synthesis problems for cooperative and non-cooperative multi-agent
settings.
Then, we introduce the quantitative semantics of StSTL [105] which quantify the probabilistic margin
by which an STL formula is satisfied. These semantics allow us to formulate quantitative verification and
parameter synthesis problems over parametric system models and StSTL contracts. Such problems are
framed as bi-level optimization problems. For linear systems with additive Gaussian uncertainty [147,
111], we demonstrate that the robust satisfaction of a bounded-time fragment of StSTL can be encoded
as a MILP or mixed integer quadratically-constrained program (MIQCP), which can be efficiently solved
using off-the-shelf solvers. Based on these encodings, we also introduce effective algorithms to solve the
quantitative verification and parameter synthesis problems with StSTL contracts.
9

1.2.2 Assurance of Cyber-Physical Systems
1.2.2.1 Formalizing and Synthesizing Assurance Arguments
An assurance case (AC) is a series of structured assertions, constructed in pursuit of establishing the specifications of a system, embedded within its operative environment or scope, by means of hierarchical steps
which map a claim to evidence via strategies and intermediary claims [64, 121, 19, 112]. In an AC, a system
specification is stated as a claim whose adoption must be supported by evidence gathered from the data
obtained during the development and testing of the system. An argument seeks to establish the veracity
of a claim based on the evidence.
ACs employ various representations, including textual representations with explicit propositions in
structured language [71] and graphical notations to help identify the different kinds of semantic units
(atomic parts) of the argument, such as the Claims-Arguments-Evidence (CAE) notation [4] and the Goal
Structuring Notation (GSN) [140]. An AC is then represented as a directed acyclic graph mapping the
system specification (the top-level claim) from the root node to the leaf nodes representing the evidence.
By convention, leaf nodes in GSN support the detailed claim situated in the immediately above layer.
GSN provides the ability to incorporate contexts and assumptions made in the argument and strategy
nodes, which serve as an explanatory step to connect the refinement steps between claims on consecutive
levels [121, 64]. However, the creation of rigorous and interpretable arguments is non-trivial, and only a
number of attempts have been made toward formalisms and tools that can assist in this task [69, 19].
In this dissertation, we propose a formalization of an AC as a hierarchically organized network of A/G
contracts, specified by using a stochastic version of propositional logic [106]. Furthermore, we introduce
an efficient synthesis algorithm that automates the creation of AC candidates [145, 146]. This algorithm
utilizes a pattern library of pre-order relations, where each relation links a claim with its supporting (sub)-
claims [108].
10

1.2.2.2 Measuring the Confidence of Assurance Arguments
Rigorous formulations of a notion of strength in ACs have been proposed and studied in several publications. Graydon et al. [63] surveyed multiple proposals for quantifying the strength of an argument using
confidence, ranging from Bayesian networks (BNs), Dempster-Shafer theory [41], Jøsang’s opinion triangle [76], weighted average [151], and evidential reasoning [89]. In BN architectures, the confidence in
the top-level goal claim is calculated through recursive application of Bayes’ theorem from the leaf node
upwards. Prevailing approaches propagate probabilistic assessments through the reasoning steps of an
argument, e.g., based on Probability Logic [2], either by bounding the uncertainty of the conclusion with
the sum of the uncertainties of the premises or assuming that top-level claims always follow from the conjunction of leaf-level subclaims [121]. These approaches tend to provide overly pessimistic estimates and
fall short of adequately accounting for either the logical form of the reasoning steps or their relationship
with the various components of a software architecture.
In this dissertation, we present an AC assessment procedure that uses logic and probabilistic reasoning
to effectively identify a set of logically valid and most persuasive AC candidates [106, 146, 107]. Specifically,
we introduce confidence networks as a formalism to represent and quantify the uncertainty and confidence
associated with predicates about a system and its development process given the available evidence. We
then propose a decision procedure that efficiently coordinates logic and probabilistic reasoning to check
the validity of an argument and evaluate its overall confidence level.
1.2.3 Summary of the Main Contributions
In this dissertation, we address some of the key challenges, which have been identified in Section 1.1,
towards designing and assuring safety, security, and robustness of CPSs.
• We develop an extension of the A/G contract framework, which can specify and reason about intelligent components’ admissible behaviors by leveraging STL, and their preferable behaviors that
11

involve optimization of reward objectives. Specifically, we introduce methodologies for constructing
new reward contracts via conjunction and composition and verifying system properties via contract
refinement.
• We develop an A/G contract framework that enables quantitative verification and design space exploration of CPSs in the presence of uncertainty. We introduce quantitative semantics for StSTL
and formulations of the quantitative verification and design space exploration problems based on
the A/G contract framework as bi-level optimization problems. We show that these optimization
problems can be effectively solved for a class of stochastic systems and a fragment of bounded-time
StSTL formulas.
• We develop a framework for the automated, compositionaln formal assurance of structured arguments, for instance, about the safety or reliability of a system design. Given a top-level goal of an
argument, a library of atomic argument patterns, and confidence models, we propose a procedure
that generates logically valid arguments, selects a subset of arguments, and quantifies their strength
in terms of confidence by coordinating logic and Bayesian reasoning.
1.3 Organization
The rest of the dissertation is organized as follows. In Chapter 3, we extend the A/G contract framework
to capture the admissible and preferable, yet deterministic, behaviors of intelligent components. Chapter 4
introduces the quantitative semantics for StSTL and presents formulations for quantitative verification and
design space exploration problems in stochastic settings using contracts, along with a solution strategy
for addressing these problems. In Chapter 5, we propose a framework for automated assurance of CPS,
utilizing stochastic A/G contracts to automatically synthesize assurance arguments, verify their logical
validity, and quantify their confidence levels. Finally, Chapter 6 summarizes the key contributions of this
12

dissertation, discusses the remaining challenges, and suggests future directions for advancing the design
and assurance of CPSs.
13

Chapter 2
Preliminaries
This chapter provides the background and concepts utilized in this dissertation. We first define the notations that appear in this dissertation. Then, we provide an overview of assume-guarantee (A/G) contracts
and how they are used in multiple ways in this dissertation. Finally, we provide reviews of temporal logic
formalisms utilized for specifying and abstracting components and subsystems of CPSs.
2.1 Notations
We denote the set of real numbers, non-negative real numbers, and non-negative integers by R, R≥0, and
N0, respectively. The transpose of a vector a and a matrix A are denoted by a
T
and AT
, respectively. For
a set B, its complement is B, while |B| denotes its cardinality. The empty set is denoted by ∅, while ∪
and ∩ represent the union and intersection between sets, respectively. The symbol ⊤ denotes the Boolean
value true while ⊥ denotes false, with B = {⊤, ⊥}. Finally, we use logical symbols: ¬, ∧, and ∨ to denote
the logical negation, conjunction, and disjunction, respectively.
14

2.2 Assume/Guarantee (A/G) Contracts
The concept of assume-guarantee A/G contracts originates from the assume-guarantee reasoning [137,
1, 34], which has been widely developed in the context of software engineering [109, 60, 20] and further extended for model-driven, platform-based engineering [97, 100]. A/G contracts enable modular and
hierarchical design and verification of complex systems by rigorous decomposition of system-level requirements into component-level specifications [35, 123, 103, 62, 101, 33, 55, 16]. Several A/G contract
frameworks have been proposed over the years to support a variety of models of computation (e.g., synchronous, dataflow, or timed models) for embedded system design [16]. However, developing contract
frameworks that are rich enough to support CPS design is an active research area [103, 100].
In this dissertation, we advocate the use of A/G contract framework, introduced by Benveniste, et
al. [15] as a fundamental component of the CPS design and assurance processes. We utilize A/G contracts
in two different contexts: 1) the design and verification of CPSs, and 2) the assurance of CPSs. Within
the former context, we utilize A/G contracts for an array of tasks including the design space exploration,
control synthesis, and verification of CPSs. Traditionally, A/G contracts have found more frequent utilization within this context. On the other hand, we employ A/G contracts to formally construct structured
assurance arguments for CPSs, and leverage their compositionality to enhance the efficiency of argument
validations and assessments. In the following, we first introduce the A/G contract framework within the
former context. We start with the notions of components and contracts, followed by the operations and
relations of the contract algebra.
2.2.1 Components and Contracts
Let M be a component, i.e., an element of a system, characterized by a set of ports, a set of variables V ,
and a set of behaviors [[M]] over V . Components can be connected and form a composition by sharing
specific ports where the values of certain variables can be exchanged under constraints. We denote the
15

composition of components M1 and M2 by M1 × M2. Then, the behaviors of the composition M1 × M2.
can be described as the intersection of the behaviors of its components, i.e., [[M1 ×M2]] = [[M1]]∩[[M2]].
The component M may be associated with a contract C that concisely specifies or captures its behaviors.
An A/G contract C for the component M is a triple (V, A, G), where V is the set of variables, and A
and G are sets of behaviors over V . The assumptions A are the set of behaviors that M expects from its
environment. The guarantees G are the set of behaviors M promises given that the environment provides
behaviors within A. A component E is a valid environment of C, i.e., E |=E C, if [[E]] is contained
within A, i.e., [[E]] ⊆ A. A component M is a valid implementation of C, i.e., M |= C, if the set of its
behaviors [[M]] intersected with A is contained in G, i.e., [[M]] ∩ A ⊆ G, or [[M]] ⊆ G ∪ A. A contract
C = (V, A, G) is compatible if and only if there exists a valid environment for it, i.e., A ̸= ∅, and consistent
if and only if there exists a valid implementation, i.e., G ∪ A ̸= ∅. We say that a contract C is in saturated
form if G = G ∪ A. Any contract C can be saturated by turning it into C
′ = (V, A′
, G′
) where A′ = A
and G′ = G ∪ A. C and C
′
are equivalent since they are characterized by the same environments and
implementations.
Consider a valuation function v : V → V which assigns a value among the set of values V to each
variable within V . If the valuation v over V , denoted as v(V ) := v0v1 · · · , satisfies a logic formula ϕ over
the same variables V , we denote this relationship as v(V ) |= ϕ. A and G can often be replaced by logic
formulas ϕA and ϕG, respectively, if A := {v(V )|v(V ) |= ϕA} and G := {v(V )|v(V ) |= ϕG}. We omit V
in the contract tuple when it is clear from the context. In the remainder of this dissertation, we consider
a pair (A, G) and (ϕA, ϕG) interchangeably as an A/G contract. Moreover, unless otherwise specified,
we assume contracts are always saturated, as the contract operations and relations are defined over the
saturated contracts.
16

2.2.1.1 Contract Operations
Refinement is a pre-order relationship between contracts, which allows reasoning about the replaceability
of a contract by another contract. We say that C2 = (A2, G2) refines C1 = (A1, G1), written C2 ⪯ C1,
if and only if C2 has weaker assumptions, i.e., A1 ⊆ A2, and stronger guarantees (in the context of the
assumptions), i.e., G2 ∪ A2 ⊆ G1 ∪ A1. We can then establish a pre-order relationship C2 ⪯ C1 between
C1 and C2 or replace C1 with C2.
Contracts can be combined to construct more complex contracts using the conjunction (∧) and (parallel)
composition (⊗) operations. Conjunction and composition of C1 = (A1, G1) and C2 = (A2, G2) can be
computed as follows:
C1 ∧ C2 = (A1 ∪ A2, G1 ∩ G2) (2.1)
C1 ⊗ C2 =

(A1 ∩ A2) ∪ (G1 ∩ G2), G1 ∩ G2

(2.2)
Conjunction can be used, for example, to combine multiple requirements that must be satisfied simultaneously by a single component. If a component M implements the conjunction of C1 and C2, i.e.,
M |= C1 ∧ C2, then M also implements C1 and C2 individually, i.e., M |= C1 and M |= C2. On the
other hand, composition can combine multiple component-level requirements to obtain a system-level requirement. Given M1 such that M1 |= C1 and M2 such that M2 |= C2, we can reason about the properties
of the composite system M1 × M2 using C1 ⊗ C2. We refer to the literature [15, 73] for further details on
the formal semantics of contracts and their algebra.
2.2.2 A/G Contracts for Design and Verification of Cyber-Physical Systems
A component M, characterized by its ports (or variables) V and behaviors [[M]], is a model that represents
our knowledge of an element of a system. It not only includes the knowledge but also the limitations in our
17

Requirement, Component,
Verification Design & Synthesis
Verified Counterexample Design
or
Control
Trajectory
No Design
or
No
Control
Trajectory
Figure 2.1: Design, Verification, and Synthesis using A/G contracts.
knowledge, the capacity, the operating environment, and the uncertainty surrounding this element. On the
other hand, a requirement, written as a contract C, is a set of behaviors, depicted using specifications, that
we assume on the behaviors of the environment and a set of behaviors that we expect from the component
M.
We use a component M and a requirement C to formally design, verify, and synthesize control for CPSs.
We can formally design a CPS by finding, for example, a component M, when placed within the operating
environment, satisfies the requirement C, i.e., M |= C. The design problem may become more complex.
For instance, we may design a system by selecting multiple components M1, M2, and M3 such that when
they are composed together, they satisfy the system requirement CS, i.e., M1 ⊗M2 ⊗M3 |= CS. Then, we
can formally verify a CPS by checking that a component M satisfies a requirement C, i.e., M |= C. Finally,
we can formally synthesize control for a component M given the initial state of M and a requirement C
by finding a control that leads the states of the component M to satisfy the requirement C. We cover all
three aspects of formal design and verification of CPSs in this dissertation.
18

System Architecture
Requirements

Component Req.,
Requirement,
Component,
Component Req., Component Req.,
Component, Component,
Conjunction ∧
≽
Refinement
Implementation ⊨
Composition ⊗
Composition 1 ⊗ 2
= 1 ∩ 2 ∪ 1 ∩ 2
= 1 ∩ 2
Conjunction = 5 ∧ 6
= 5 ∪ 6
= 5 ∩ 6
Refinement 3⊗4 ≼
⊆ 3⊗4
3⊗4 ⊆
Implementation 1 ⊨ 1
1 ∩ 1 ⊆ 1
Sub-System Req.,
Sub-System
Figure 2.2: Anatomy of hierarchical system design using A/G contracts.
2.2.3 A/G Contracts for Hierarchical Design and Verification of Cyber-Physical
Systems: An Example
A/G contracts inherently facilitate a hierarchical and compositional approach to designing CPSs. Consider a CPS design task featuring two overarching system-level requirements, C5 and C6, as depicted in
Figure 2.2. These requirements, governing the system as a whole, can be conjoined into a single requirement, Cs = C5 ∧ C6. Assuming that Cs can be decomposed into contracts C3 and C4, and C4 can be
decomposed into C1 and C2, it results in a structured hierarchy of requirements, as shown in Figure 2.2.
In this example, the design and verification tasks encompass two main aspects: 1) ensuring that each implementation Mi correctly implements Ci
, i.e., Mi
|= Ci
, ∀i, and 2) confirming that the composition of
the sub-level contracts refines the upper-level contracts, i.e., C1 ⊗ C2 ⪯ C4 and C3 ⊗ C4 ⪯ CS. When
all these tasks are accomplished successfully, the combination of implementations ×3
i=1Mi constitutes the
final design Ms that fulfills the system-level requirements C5 and C6, i.e., Ms |= C5 ∧ C6.
19

2.2.4 A/G Contracts for Assurance of Cyber-Physical Systems
On the other hand, A/G contracts can be used as a specification formalism [13] to represent claims about
the system of interest, as well as the contexts under which the claims must hold. An A/G contract C is a
triple (V, ϕA, ϕG) which specifies an atomic claim where V is the set of variables, ϕA (assumptions) is the
formula over V specifying the contexts under which the claim must hold, and ϕG (guarantees) is a formula
over V specifying the promises of the claim given that the context ϕA is satisfied.
A contract C is compatible if there exists a valid context for the claim to hold, i.e., ϕA is satisfiable, and
consistent if there exists a valid promise, i.e., ϕA → ϕG is satisfiable. We can reason about the replaceability
of a contract by another contract via the refinement relation. We say that C2 = (ϕA2, ϕG2) refines C1 =
(ϕA1, ϕG1), written C2 ⪯ C1, if and only if C2 has a weaker context under which it holds, i.e., ϕA1 → ϕA2,
and promises more than C1, i.e., ϕG2 → ϕG1. We can then replace C1 with C2. Contracts C1 and C2 can
also be combined using conjunction (C1∧C2) and composition (C1⊗C2) to construct a more complex claim
from two simpler claims on the same component or two different components, respectively.
2.3 Formalisms for Capturing System Requirements
While A/G contracts provide a foundation for specifying and reasoning about a variety of component or
system-level behaviors, these behaviors should be concretely represented using logic formalisms such as
temporal logic or differential equations. In this section, we review two temporal logic formalisms: signal
temporal logic and stochastic signal temporal logic, that are leveraged in this dissertation.
2.3.1 Signal Temporal Logic
Signal temporal logic (STL) [85, 46, 47] was introduced as an extension of Metric Interval Temporal Logic
(MITL) [5, 51] for specifying properties of dense-time real-valued signals. It was first utilized to provide a
qualitative, i.e., yes-or-no, answer to a question of whether a system signal satisfies an STL formula. Later,
20

the quantitative semantics of STL was introduced to indicate the degree of satisfaction [47]. It has been
utilized in multiple applications, from online monitoring of signals [44] and control synthesis [117], to
automated identification and repair of unrealizable hybrid system specifications [59].
2.3.1.1 Syntax of Signal Temporal Logic
The syntax of an STL formula is given as follows:
ϕ := µ(v) > 0 | ¬ϕ | ϕ1 ∧ ϕ2 | ϕ1U[t1,t2]ϕ2 (2.3)
where µ is a real-valued function µ : V → R, ϕ1 and ϕ2 are STL formulas, [t1, t2] is a time interval, and
U is the until temporal operator. Other temporal operators such as globally (G) and eventually (F) can be
expressed using the operators introduced in (2.4), i.e., F[t1,t2]ϕ = ⊤U[t1,t2]ϕ and G[t1,t2]ϕ = ¬F[t1,t2]¬ϕ.
Globally (G) are usually employed to specify safety requirements, i.e., “bad things never happen,” while
eventually (F) are usually used to specify liveliness requirements, i.e., “good things will eventually happen.”
We denote (v, k) as a sequence starting from time step k, i.e., vkvk+1 · · · where vk = (v0,k, v1,k, · · ·)
T
and
vi,k is the value assigned to the i-th variable at time step k by the valuation function v.
21

2.3.1.2 Semantics of Signal Temporal Logic
The Boolean semantics of STL is defined recursively as follows:
(v, k) |= µ ↔ µ(vk) > 0
(v, k) |= ¬ϕ ↔ ¬((v, k) |= ϕ)
(v, k) |= ϕ1 ∧ ϕ2 ↔ ((v, k) |= ϕ1) ∧ ((v, k) |= ϕ2)
(v, k) |= ϕ1U[t1,t2]ϕ2 ↔ ∃i ∈ [k + t1, k + t2] : ((v, i) |= ϕ2)∧
(∀j ∈ [k, i − 1] : (v, j) |= ϕ1).
Syntax and semantics of STL allow the interval [t1, t2] in an STL formula to be unbounded, e.g., [t1, +∞). In
this dissertation, we focus on bounded-time STL formulas, i.e., formulas in which t2 ̸= +∞ for any interval
[t1, t2]. The bound Hϕ of an STL formula ϕ is the maximum over the sums of all nested upper bounds on
the temporal operators, which provides the minimum trajectory length to determine its satisfiability [118].
For instance, a trajectory of a signal s with length Hϕ0 = 2 + 4 = 6 is needed to decide the satifiability of
an STL formula ϕ0 := G[1,2]F[3,4](s > 0).
Unlike the Boolean semantics of STL, which can only provide a yes-or-no answer to whether a system
satisfies an STL formula, the quantitative semantics of STL enables the quantification of the margin by
22

which an STL formula is satisfied by a system [47]. The quantitative semantics of STL is defined recursively
as follows:
ρ(µ, v, k) = µ(vk)
ρ(¬ϕ, v, k) = − ρ(µ, v, k)
ρ(ϕ1 ∧ ϕ2, v, k) = min (ρ(ϕ1, v, k), ρ(ϕ2, v, k))
ρ(ϕ1U[t1,t2]ϕ2, v, k) = sup
t
′∈[t1,t2]
min
ρ(ϕ2, v, t′
), inf
t
′′∈[0,t′
]
ρ(ϕ1, v, t′′)

where ρ(ϕ, v, k) is the robustness estimate of a behavior of system (v, k) with respect to the STL formula
ϕ. The quantitative semantics of STL is sound, i.e., ρ(ϕ, v, k) > 0 =⇒ (v, k) |= ϕ and ρ(ϕ, v, k) < 0 =⇒
(v, k) ̸|= ϕ, and correct, i.e., ((v, k) |= ϕ) ∧

∥v − v
′
∥∞ < ρ(ϕ, v, k)

=⇒ (v
′
, k) |= ϕ [47].
2.3.2 Stochastic Signal Temporal Logic
Stochastic Signal Temporal Logic (StSTL) [100] extends STL [48] to enable the expression of probabilistic
temporal properties of real-valued stochastic systems. We use StSTL to represent contract assumptions
and guarantees.
2.3.2.1 Syntax of Stochastic Signal Temporal Logic
StSTL formulas are defined over APs represented by chance constraints of the form: µ
[p]
:= P{µ (v) ≤ 0} ≥
p, where µ : V → R is a real-valued measurable function, v ∈ V is a random vector on the probability
space (Ω, F, P), and p ∈ [0, 1] is the probability threshold. An AP evaluates to ⊤ if and only if µ(v) ≤ 0
holds with probability larger than or equal to p. The syntax of an StSTL formula is given as follows:
ϕ := µ
[p]
| ¬ϕ | ϕ ∧ ψ | ϕU[t1,t2]ψ, (2.4)
23

where µ
[p]
is an AP, ϕ and ψ are StSTL formulas, t1, t2 ∈ N0∪{+∞}, and U is the until operator. Temporal
operators such as globally (G) and eventually (F) can be expressed using the operators in (2.4).
2.3.2.2 Semantics of Stochastic Signal Temporal Logic
The semantics of StSTL are defined recursively as follows:
(v, k) |= µ
[p] ↔ P{µ (vk) ≤ 0} ≥ p,
(v, k) |= ¬ϕ ↔ ¬ ((v, k) |= ϕ),
(v, k) |= ϕ1 ∧ ϕ2 ↔ ((v, k) |= ϕ1) ∧ ((v, k) |= ϕ2),
(v, k) |= ϕ1U[t1,t2]ϕ2 ↔ ∃i ∈ [k + t1, k + t2] : ((v, i) |= ϕ2) ∧ (∀j ∈ [k, i − 1] : (v, j) |= ϕ1).
An interval [t1, t2] in an StSTL formula can be unbounded, e.g., of the form [t1, +∞). In this dissertation, we focus on bounded-time StSTL formulas, i.e., formulas that only include bounded intervals.
24

Chapter 3
Reward Contracts for Cyber-Physical System Design With Objectives
In this chapter, we propose a comprehensive A/G contract-based framework using signal temporal logic
(STL) to express requirements in a declarative specification style. Moreover, we consider components or
agents that, in addition to satisfying their guarantees, may also attempt to produce behaviors that are
considered “preferable” with respect to a certain goal or objective. Performance is a common example of
such an objective. For instance, besides a safety requirement that a minimum distance to the neighboring
agents must be maintained, an autonomous agent may have a performance objective of minimizing the
time to destination or fuel consumption. Unlike the guarantees, which a component must be designed to
satisfy under all valid environments, an objective does not mandate the component to always behave in an
optimal manner; nevertheless, it may play a crucial role in shaping its behaviors. Existing contract-based
frameworks, however, do not provide a method to capture such a notion of objectives.
3.1 Introduction
We propose an extension of the A/G contract framework termed reward contracts. Along with the assumptions and guarantees, a reward contract includes an objective O that captures how desirable are
certain behaviors over the others. In particular, we define O : G → R
n
as an objective function that ranks
each valid behavior of a component with a (possibly multi-dimensional) quality metric. Building on this
25

notion of contract, we propose a mathematical framework for the design and verification of CPSs with
objectives, including methods for constructing new contracts via conjunction and composition, and for
verifying system properties out of component properties by checking contract compatibility, consistency,
and refinement.
Some of the components in a system may have conflicting objectives, in that optimizing an objective
for a certain component results in a sub-optimal behavior for another component. When these components
are composed, potential conflicts may arise. Our framework provides an approach to capture or resolve
such conflicts by formulating this problem as a multi-objective optimization problem. In particular, the
proposed framework provides the notion of cooperative composition to model system interactions where
some of the components are designed to cooperate with each other to produce optimal behaviors for the
overall system. Therefore, by supporting the formalization of rewards and cooperative compositions, our
framework can also provide support for the design and verification of multi-agent systems.
By developing a framework of reward contracts, we also establish a link between contract-based design and optimal control of multi-agent systems. Optimal control is the long-studied problem of synthesizing a controller that attempts to maximize a given reward function while satisfying a set of system
constraints [155]. Among prior works, the ones that are closest to ours are approaches that employ formal
logic, e.g., linear temporal logic (LTL) or signal temporal logic (STL), to specify the desired behavior of the
system while producing an optimal control law. Unlike these previous efforts, which mostly deal with the
control of a single system or component, our work provides a formal framework that enables compositional reasoning about the behaviors of multiple components that may have their own distinct objectives
to be optimized. Our contributions can be summarized as follows:
• We instantiate the A/G contract framework using STL and introduce optimization-based algorithms
to solve verification problems such as contract compatibility, consistency, and refinement checking.
We show contract-based verification problems for STL formulas with linear APs and discrete-time
26

linear dynamical systems can be encoded as MILPs that can be solved using off-the-shelf optimization tools. To the best of our knowledge, this is the first contract framework for discrete-time systems
and STL specifications.
• We introduce a notion of contract that can express a component’s objectives and characterize its
sets of desirable behaviors, in addition to its assumptions and guarantees. Building on this notion of
contract, we propose a mathematical framework for the design of CPSs with objectives, including
methods for constructing new contracts via conjunction and composition, and for verifying system
properties out of component properties via contract refinement. Our framework also supports the
representation of the interactions between agents in multi-agent CPSs as well as their cooperative
and non-cooperative behaviors toward achieving their goals via the notions of cooperative and noncooperative composition.
• Given a set of cooperating or non-cooperating components, each specified by a reward contract,
we devise methods to synthesize optimal control laws for all the agents that satisfy their contracts
following a MPC approach.
We illustrate the effectiveness of the proposed framework on case studies from connected and autonomous vehicles. A preliminary version of the results of this chapter appeared in our previous publication [104], where we first introduced the formal framework of reward contracts. In this chapter, we
expand on our previous formulation and present, for the first time, a concrete instance of reward contracts
using STL. We propose optimization-based encodings of contract-based verification and synthesis tasks
and algorithms that can effectively solve them for a class of dynamical systems and STL reward contracts.
Finally, we discuss the computational complexity of the proposed schemes end empirically evaluate the
execution time on the case studies.
27

The rest of this chapter is organized as follows. After an overview of the related work in Section 3.2,
Section 3.3 introduces an example motivating the proposed extensions to the existing A/G contract framework. Section 3.4 provides the class of systems considered in this chapter. Section 3.5 details the proposed
framework, while Section 3.6 describes its concrete instance using STL, together with the encodings of
the verification and synthesis problems into optimization problems. We describe the algorithms to solve
these problems in Section 3.7 and evaluate them on the case studies in Section 3.8. Finally, Section 3.9
summarizes this chapter and draws some conclusions.
3.2 Related Work
Over the years, several approaches have been proposed to specify the desired behavior of a single system
using a logic specification language with temporal modality, e.g., LTL or STL [85], and to synthesize a
control law such that the system (optimally) satisfies the behaviors expressed in a logic specification. The
solution for the LTL control synthesis problem can usually be found by solving a two-player game played
between a system and an environment that utilizes a finite automaton constructed from an LTL formula.
While the synthesis problem with a general LTL formula was solvable in double-exponential time [114],
synthesizing a control for a general reactivity of rank 1 (GR(1)) fragment of LTL was shown to be solvable
using an efficient polynomial time symbolic synthesis algorithm [113, 77, 86]. For compositionality of the
design and verification procedure, a few computer-aided frameworks using A/G contracts, for instance,
CHASE (Contract-based Heterogeneous Analysis and System Exploration) [96], were introduced for design
and verification of systems under LTL specifications. While LTL enables compactly expressing properties
of Boolean-valued signals and behaviors of systems, we utilize STL as a logic formalism to specify wider
class of properties for real-valued signals and behaviors defined over dense time [85].
Given that a discrete-time linear approximation of a system model is available, the satisfaction of an
STL formula can be encoded as a MILP [53, 118, 117, 83] by extending the BMC paradigm for finite discrete
28

systems. Off-the-shelve optimization tools such as Gurobi [66] can be used to solve such MILP problems.
In the presence of exogenous uncertainty, CEGIS scheme was utilized for synthesizing reactive controllers
capable of responding to finite [53, 118] or infinite (continuous) [141] number of uncertain environment
behaviors. While assuming the existence of a function that can predict the environment behaviors, Raman
et al. [117] proved that the satisfaction problem of a fragment of STL, namely, Safe Negation-Normal
STL (SNN–STL), can effectively be solved in polynomial time given that the proposed algorithm does not
terminate. Unlike these efforts, which mostly deal with the control synthesis of a single component, our
focus is on enabling compositional reasoning about the behaviors of multiple components, subject to STL
specifications, that may have their own objectives to be optimized.
Several methods have also been proposed to synthesize control policies for multi-agent systems under
temporal logic constraints. The BMC encoding of LTL formulas can be leveraged to coordinate LTL task
planning with resilient motion planning in the presence of bounded disturbances and denial-of-service attacks [138]. The overall planning problem can then be encoded as a satisfiability modulo convex programming problem and efficiently solved for multi-robot systems in a centralized fashion. A fully distributed
strategy has been proposed to solve a multi-robot coordination problem with safety guarantees and mission specifications given as a set of LTL formulas [152]. Each agent is assigned an LTL specification from
the set of LTL specifications such that overall safety guarantees and mission specifications are satisfied.
Then, the trajectory synthesis problem for a single agent was performed using search-based, automatabased, or optimization-based methods. The conflicts between the agents are resolved by assigning priority
to the motion of specific agents and sequentially solving a local optimization problem for each agent.
Spellini et al. proposed a control synthesis and validation framework for a multi-agent software system
using A/G contracts specified in LTL [135]. In this work, system-level A/G contract was decomposed into
local, agent-level A/G contracts. Each agent in this framework was controlled by the c++ executable that
can be synthesized from a Mealy machine implementing the corresponding robot-level A/G contract.
29

Buyukkocak et al. [23] extended STL with integral predicates, to express cumulative properties spanning multiple time steps, and proposed mixed-integer linear programming (MILP) encodings of the optimal
control synthesis problem, similar to those of [118, 117], for multi-agent systems in a centralized manner.
Charitidou et al. [32] introduced a method to decompose a global STL specification for a multi-agent system
into local STL formulas capturing the tasks of the agents. Each agent’s controller was synthesized from the
local STL formulas by using an MPC scheme where a quadratically constrained quadratic program (QCQP)
was solved for each time step. Our approach complements the aforementioned control synthesis methods. We provide a generic and compositional framework that encompasses system requirements expressed
in STL, reward objectives, and the contextual representation of cooperative and non-cooperative behaviors. Our framework establishes a link between contract-based design and optimal control of multi-agent
systems, bridging the gap between previous verification and synthesis methods.
3.3 Motivating Example
Consider two autonomous vehicles at a T-junction without any traffic lights where only one car can pass
at a time. Each vehicle can either Pass or Wait. If both vehicles decide to pass through the T-junction
at the same time, they will collide. On the other hand, if both decide to wait, they may enter a deadlock
state in which they wait indefinitely. Ideally, we would like one vehicle to wait and the other to pass, so
that they can traverse the T-junction one at a time. We model the preference between system behaviors
by assigning a reward to each combination of actions of the two vehicles, (u1, u2), where u1 is the action
of vehicle 1 (M1) and u2 is that of vehicle 2 (M2). The objectives of M1 and M2 are to maximize the
rewards associated with their actions, shown in Table 3.1 and 3.2, respectively. Rewards are as low as −10
to penalize collision and take on a maximum value when a vehicle manages to traverse the junction.
From the perspective of M1, the behavior that results in the optimal reward is(u1, u2) = (Pass, Wait).
However, if M1 is not aware of the next action or associated reward of M2, it will instead opt for Wait
30

Table 3.1: Rewards R1 for M1
u1
u2
Wait Pass
Wait −1 −1
Pass 3 −10
Table 3.2: Rewards R2 for M2
u1
u2
Wait Pass
Wait −1 4
Pass −1 −10
Table 3.3: Rewards R3 for M1 ×
M2
u1
u2
Wait Pass
Wait −2 3
Pass 2 −20
since it must act conservatively to guarantee safety (i.e., no collision) for all the possible actions of M2.
If M2 selects its action in the same manner as M1 (i.e., maximizes its own reward), the two vehicles will
enter the deadlock state. On the other hand, if the vehicles were able to communicate their actions and
rewards to each other, they may be able to avoid deadlock by making decisions in a cooperative manner.
We would like to formally reason about the overall behavior of this multi-agent system using A/G
contracts, where each vehicle is modeled as a component implementing a contract, and the composition
of M1 and M2 represents the end-to-end system. To do so, we seek for a framework that 1) captures the
behaviors of a component while optimizing its objective, and 2) supports a composition mechanism that
takes into account the notion of cooperation and non-cooperation. In the following section, we provide a
framework which enables both aspects.
3.4 Dynamical System Model
In this section, we provide the reference dynamical model of a multi-component system where a finite number of components or agents interact with each other. For each component Mi
, we assume a discrete-time
dynamical model, which can be obtained, for example, by discretization of the continuous-time dynamics,
given a fixed positive discretization step ∆t. The resulting discrete-time model for Mi
is in the form:
xi,k+1 = fi(xi,k, ui,k, wi,k), (3.1)
31

where xi,k ∈ Xi
is the state, ui,k ∈ Ui
is the control input, wi,k ∈ Wi
is the environment input at time
step k, fi
: Xi × Ui × Wi → Xi
is a function describing the evolution of Mi
’s state over time.
A behavior of Mi starting from time step k is a sequence, (ξi
, k) = ξi,kξi,k+1 · · · where ξi,k =
(x
T
i,k, uT
i,k, wT
i,k)
T
. Given an initial state xi,0 ∈ Xi
, a sequence of control inputs u
H
i = ui,0ui,1 · · · ui,H−1 ∈
U
H
i
, and a sequence of environment inputs wH
i = wi,0wi,1 · · · wi,H−1 ∈ WH
i
, the unique behavior of Mi
over the time horizon H is denoted as:
ξi(xi,0, u
H
i
, wH
i
) = (xi,0ui,0wi,0) (xi,1ui,1wi,1)· · ·(xi,H−1ui,H−1wi,H−1)xi,H, (3.2)
where xi,k, k = 1, · · · , H can be determined using (3.1), e.g., xi,1 = fi(xi,0, ui,0, wi,0), and so on.
Let M be a multi-component system consisting of N components. The communication topology of
the components are represented as a graph G = (V, E, A) where V = {v1, . . . , vN } is a set of vertices
representing components M1, . . . , MN , E ⊂ V × V is the set of communication edges, and A ∈ B
N×N is
the adjacency matrix [148]. The value of an element aij ∈ B of the adjacency matrix A is ⊤ when there
exists an communication edge from the Mi to Mj , and ⊥ when there exists no communication edge. No
self-loops are allowed in G, i.e., ∀i ∈ {1, . . . , N}, aii = ⊥. A path P in the graph G is a sequence of
vertices (vs1
, vs2
, . . . , vsn
) ∈ Vsn such that asisi+1 = ⊤ for 1 ≤ i < sn.
Dynamical model of the multi-component system M can be represented as the composition of N
component models, i.e., M = ×N
i=1Mi
, where Mi
is the i-th component. A behavior of the multi-agent
system starting from time step k is a sequence, (ξ, k) = ξkξk+1 · · · where ξk = (x
T
k
, uT
k
, wT
k
)
T
, xk =
(x
T
1,k, · · · , xT
N,k)
T ∈ X, uk = (u
T
1,k, · · · , uT
N,k)
T ∈ U, wk = (w
T
1,k, · · · , wT
N,k)
T ∈ W, X = ×N
i=1Xi
,
U = ×N
i=1Ui
, and W = ×N
i=1Wi
.
32

Given initial states xi,0, control input sequences u
H
i
, and environment input sequences wH
i
for i =
1, · · · N, the behavior of the multi-agent system M over the time horizon H is denoted by
ξ(x0, u
H, wH) = (x0u0w0) (x1u1w1)· · ·(xH−1uH−1wH−1)xH. (3.3)
where x0 = (x
T
1,0
, · · · , xT
N,0
)
T ∈ X, u
H = u0u1 · · · uH−1 ∈ U
H and wH = w0w1 · · · wH−1 ∈ WH.
3.5 Reward Assume-Guarantee Contracts
In this section, we start by defining reward assume-guarantee (A/G) contracts and the related notions of
compatibility and consistency.
Definition 3.1 (Reward Assume-Guarantee (A/G) Contract) A reward A/G contract is a tuple C =
(U, X, A, G, O), where
• U is a set of state (uncontrolled) variables and X is a set of control input (controlled) variables, with
U ∩ X = ∅ and V = U ∪ X;
• A and G are sets of behaviors over V representing the assumptions and the guarantees, respectively,
• O = (O1, O2, . . . , Om) is a tuple of m objective functions where each objective function can map a
behavior within G to a real-valued reward, i.e., O : G → R
m.
Definition 3.2 (Optimal Guarantees) For a reward contract C = (U, X, A, G, O), we define the set of
optimal guarantees Gmax = arg maxx minu O(v) such that v ∈ A ∩ G.
Definition 3.2 amounts to stating that a component M implementing a contract C assigns values to
its controlled variables to maximize its reward, but has no information about the environment E and
its objective, except that E satisfies the assumptions. The optimal guarantees are then computed in the
worst-case scenario that the uncontrolled variables are assigned to minimize O.
33

Definition 3.3 (Compatibility and Consistency) A reward contract C = (U, X, A, G, O) with optimal
guarantees Gmax is compatible if and only if A ̸= ∅ and consistent if and only if Gmax ̸= ∅.
Example 3.1 (Contract Compatibility and Consistency) Consider a contract C = ({u}, {x}, 1 ≤ u ≤
2,(0 ≤ x ≤ 4) ∨ ¬(1 ≤ u ≤ 2), x + u) where assumptions and guarantees are expressed by predicates on
the real variables u and x. We obtain Gmax = (arg maxx minu(u + x) s.t. (1 ≤ u ≤ 2) ∧ (0 ≤ x ≤ 4)) =
{(1, 4)T }. Since A ̸= ∅ and Gmax ̸= ∅, the contract C is both compatible and consistent.
We now extend the conjunction operation and define the new operations of cooperative and noncooperative composition to encapsulate conflicting objectives of components.
Definition 3.4 (Conjunction) Given the reward contracts C1 = (U, X, A1, G1, O1) and C2 =
(U, X, A2, G2, O2), the conjunction of C1 and C2, denoted by C1 ∧C2, is a contract on the same variable sets
U and X and such that:
A = A1 ∪ A2 (3.4)
G = G1 ∩ G2 (3.5)
O = (O1, O2). (3.6)
Assumptions and guarantees in (3.4) and (3.5) are computed as in the traditional A/G contract framework [16]. O in (3.6) is obtained by concatenating the objectives of C1 and C2. Gmax can then be computed
as in Definition 3.2.
Computing the optimal guarantees results, in general, into a multi-objective optimization problem [149], which can be addressed by either constructing the Pareto optimal fronts to select a Pareto
optimal solution, or by reducing the original problem to a standard, single objective optimization problem.
For simplicity, we follow the latter approach in the examples of this chapter. While, in general, a single objective function can be acquired by using a function such as O = g(O1, O2, . . .), we assume that a weight
34

vector c = (c1, . . . , c|c|
) is provided, which encodes, for example, the priority given by the designer (or
the agents in the system) to the components of O. We then generate a single objective function as the
weighted sum of all the elements of O according to c, i.e., O =
P|c|
i=1 ciOi
. In the following, we further
assume c = (1, . . . , 1).
Example 3.2 (Conjunction) We compute the conjunction of the following contracts:
C1 = ({u}, {x}, 0 ≤ u ≤ 3,(2 ≤ x ≤ 3) ∨ ¬(0 ≤ u ≤ 3), x − u)
C2 = ({u}, {x}, 0 ≤ u ≤ 2,(1 ≤ x ≤ 4) ∨ ¬(0 ≤ u ≤ 2), 3u)
We obtain C1 ∧ C2 = ({u}, {x}, 0 ≤ u ≤ 3,(2 ≤ x ≤ 3) ∨ ¬(0 ≤ u ≤ 3), x + 2u) and G1∧2,max =
arg maxx minu(x + 2u) s.t. (0 ≤ u ≤ 3) ∧ (2 ≤ x ≤ 3) = {(0, 3)T }.
Definition 3.5 (Cooperative Composition) The cooperative composition of the reward contracts C1 =
(U1, X1, A1, G1, O1) and C2 = (U2, X2, A2, G2, O2), denoted by C1⊗ˆC2, is a reward contract C1⊗ˆC2 =
(U, X, A, G, O) such that
U = U1 ∪ U2 \ X, X = X1 ∪ X2 (3.7)
A = (A1 ∩ A2) ∪ G, G = G1 ∩ G2 (3.8)
O = (O1, O2) (3.9)
The optimal guarantees Gmax can be computed as in Definition 3.2. We compose two reward contracts C1
and C2 using Definition 3.5 when the components 1 and 2 are communicating, i.e., the element a12 in the
adjacency matrix A of the graph G is ⊤.
Definition 3.6 (Non-cooperative Composition) We call non-cooperative composition of the reward
contracts C1 = (U1, X1, A1, G1, O1) and C2 = (U2, X2, A2, G2, O2) the reward contract C1⊗ˇC2 =
35

Figure 3.1: Connection of Components M1 and M2
(U, X, A, G, O) where U, X, A, G, and O are defined as in Definition 3.5 and G1⊗ˇ 2,max = G1,max ∩G2,max,
where G1,max are the optimal guarantees for the reward contract Cˇ
1 = (U ∪ Y1, X \ Y1, A, G, O1) with
Y1 = U1∩X2, and G2,max are the optimal guarantees for the reward contract Cˇ
2 = (U∪Y2, X\Y2, A, G, O2)
with Y2 = U2 ∩ X1. G1,max and G2,max are separately computed as in Definition 3.2.
We compose two reward contracts C1 and C2 using Definition 3.6 when there exists no communication
path between the components 1 and 2.
Finding the optimal guarantees for cooperative composition can be reduced to solving an optimization problem with a single objective function because components can share (conjoin) their objectives
and make decisions toward optimizing them. On the other hand, non-cooperating components may share
some of their variables but have no information about each others’ objective. Consequently, two optimization problems must be solved to find the optimal guarantees G1,max and G2,max of the contracts Cˇ
1 and
Cˇ
2, respectively. Because each component makes worst-case assumptions about its environment, noncooperative composition usually results into a sub-optimal solution from the overall system perspective.
Example 3.3 (Composition) Consider a component M1 implementing C1 = (∅, {x}, ⊤, 0 ≤ x ≤ 3, −x)
and a component M2 implementing C2 = ({x}, {y}, 0 ≤ x ≤ 4, ¬(0 ≤ x ≤ 4) ∨ (0 ≤ y ≤ 2), 2x + y),
connected as shown in Figure 3.1. We compute the composition of C1 and C2 with and without cooperation.
We get the following contract when composing C1 and C2 with cooperation:
C1⊗ˆC2 = (∅, {x, y}, ⊤,(0 ≤ x ≤ 3) ∧ (0 ≤ y ≤ 2),(−x, 2x + y))
G1⊗ˆ 2,max = arg max
x,y
(x + y) s.t. (0 ≤ x ≤ 3) ∧ (0 ≤ y ≤ 2)} = {(3, 2)T
}
36

Since A1⊗ˆ 2
̸= ∅ and G1⊗ˆ 2,max ̸= ∅, C1⊗ˆC2 is compatible and consistent. We consider now composing C1
and C2 without cooperation. We obtain C1⊗ˇC2 where:
Cˇ
1 = (∅, {x, y}, ⊤,(0 ≤ x ≤ 3) ∧ (0 ≤ y ≤ 2), −x)
Cˇ
2 = ({x}, {y}, ⊤,(0 ≤ x ≤ 3) ∧ (0 ≤ y ≤ 2), 2x + y)
G1,max = arg max
x,y
(−x) s.t. (0 ≤ x ≤ 3) ∧ (0 ≤ y ≤ 2) = {(0, y)
T
: 0 ≤ y ≤ 2}
G2,max = arg max
y
min
x
(2x + y) s.t. (0 ≤ x ≤ 3) ∧ (0 ≤ y ≤ 2) = {(0, 2)T
}
G1⊗ˇ 2,max = G1,max ∩ G2,max = {(0, 2)T
}
Since A1⊗ˇ 2 ̸= ∅ and G1⊗ˇ 2,max ̸= ∅, C1⊗ˇC2 is compatible and consistent.
An extension of the refinement relation between contracts can be expressed via optimal refinement,
which enables reasoning about replaceability between components whose behaviors aim to optimize objectives.
Definition 3.7 (Optimal Refinement) Given the contracts C1 = (U, X, A1, G1, O1) and C2 =
(U, X, A2, G2, O2) on the same variables, we say that C2 optimally refines C1, written C2 ⪯∗ C1, if and
only if
A2 ⊇ A1, G2,max ⊆ G1,max (3.10)
We observe that if the objective of a contract is empty, it reduces to a traditional contract, with Gmax =
G. Accordingly, if both of the objectives of C1 and C2 are empty, optimal refinement reduces to the
traditional refinement relation. Similarly to the conventional refinement relationship [16], the optimal
refinement relationship is a pre-order relationship, since the only difference between conventional and
optimal refinement is that we use optimal guarantees Gmax ⊆ G instead of the guarantees G.
37

3.6 Verification and Synthesis with STL Reward Contracts: Problem
Formulation
For a reward contract C = (U, X, A, G, O) specifying the behaviors of a component M over the time
horizon H, its state (uncontrolled) variables is {x0, w0, · · · , wH−1} where x0 is the initial state of the
component and wH = w0w1 · · · wH−1 ∈ WH; and its set of control input (controlled) variables is
{u0, · · · , uH−1} where u
H = u0u1 · · · uH−1 ∈ U
H. We assume that U = {w0, · · · , wH−1} and
X = {u0, · · · , uH−1}, unless mentioned otherwise. The assumptions A and guarantees G of a reward
contract C can be defined by the sets of behaviors that satisfy the bounded STL formulas ϕA and ϕG,
respectively. Then, the main contract operators can be mapped into operations and relations between
formulas [100]. We define verification and synthesis problems with STL reward contracts as follows.
Problem 3.1 (Compatibility and Consistency Checking) Given a component M with its initial state
x0, and a reward contract C = (U, X, ϕA, ϕG, O) describing the behaviors of M over the time horizon
H = max(HϕA
, HϕG
), determine whether C is compatible, i.e., ϕA is satisfiable: ξ(x0, u
H, wH) |= ϕA, and
consistent, i.e., the following optimization problem is feasible:
max
uH∈UH
min
wH∈WH
O

ξ(x0, u
H, wH)

s.t. ξ(x0, u
H, wH) |= ϕA → ϕG (3.11)
Problem 3.2 (Contract Optimal Refinement Checking) Given a component M with its initial state x0,
and contracts C1 = (U, X, ϕA1, ϕG1, O1) and C2 = (U, X, ϕA2, ϕG2, O2) defined over the time horizon
H = max(HϕA1
, HϕA2
, HϕG1
, HϕG2
), determine whether C2 ⪯∗ C1, i.e., whether both of the following
3

conditions hold: (i) ϕA1 ∧ ¬ϕA2 is unsatisfiable, i.e., ξ(x0, u
H, wH) ̸|= ϕA1 ∧ ¬ϕA2; (ii) G2,max ∩ G1,max is
empty, where G1,max and G2,max are defined as follows:
G1,max = arg max
uH∈UH
min
wH∈WH
O1

ξ(x0, u
H, wH)

s.t. ξ(x0, u
H, wH) |= ϕA1 ∧ ϕG1 (3.12)
G2,max = arg max
uH∈UH
min
wH∈WH
O2

ξ(x0, u
H, wH)

s.t. ξ(x0, u
H, wH) |= ϕA2 ∧ ϕG2 (3.13)
Problem 3.3 (Control Synthesis) Given a component M with its initial state x0, and a contract C =
(U, X, ϕA, ϕG, O) describing the behaviors of M over the time horizon H = max(HϕA
, HϕG
), determine the
control input u
H by solving the following optimization problem:
arg max
uH∈UH
min
wH∈WH
O

ξ(x0, u
H, wH)

s.t. ξ(x0, u
H, wH) |= ϕA ∧ ϕG (3.14)
Problems 3.1, 3.2, and 3.3 directly descend from the definitions of contract compatibility, consistency,
optimal refinement, and optimal guarantees. We now introduce the algorithms for addressing these problems.
3.7 Verification and Synthesis with STL Reward Contracts: Algorithms
We address the problems posed in the previous section by proposing algorithms that leverage MILP encoding of bounded STL formulas. We first introduce a MILP encoding for bounded STL formulas. Then,
we detail the algorithms.

3.7.1 Mixed Integer Linear Program Encoding of Bounded Signal Temporal Logic
Formulas
Given a linear dynamical system model M with its initial state x0, the satisfaction of bounded STL formulas
ϕ with linear APs can be encoded as a set of mixed integer linear constraints [118, 59, 117] as follows.
3.7.1.1 System Constraints
System constraints encode the valid H-horizon system behaviors as governed by f in (3.1). Assuming that
f is a linear function and uk can be decided by xk and wk, i.e., uk = h(xk, wk), we have the following
system constraints:
xk+1 = f(xk, uk) = Axk + Buk, k = 0, · · · , H − 1, (3.15)
where A ∈ R
|X|×|X|
and B ∈ R
|X|×|U|
are constant matrices.
3.7.1.2 Signal Temporal Logic Constraints
For Boolean (or qualitative) encoding of an STL formula ϕ, we introduce a Boolean variable z
ϕ
k
, whose value
corresponds to the satisfaction of ϕ at time step k, i.e., z
ϕ
k = 1 if and only if (ξ, k) |= ϕ. We start with the
encoding of an STL AP, µ(ξk) ≥ 0. Assume that µ is a linear function of the form:
µ(ξk) := a
T xk + b
T uk + c
T wk + d (3.16)
where ξk = (x
T
k
, uT
k
, wT
k
)
T
, a ∈ R
|X|
, b ∈ R
|U|
, c ∈ R
|W|
, and d ∈ R are constant vectors. To require that
z
µ
k = 1 if and only if µ(ξk) ≥ 0, we use the following constraints:
Mc(z
µ
k − 1) ≤ µ(ξk) and µ(ξk) ≤ Mcz
µ
k − ϵ (3.17)
40

where Mc and ϵ are sufficiently large and small positive constants (“big-M” encoding technique [149])
selected to be much larger than and smaller than |µ(ξk)|, respectively.
We then encode the logical and temporal operations in the STL formula via the following constraints,
which can be compiled recursively using the Boolean semantics of STL:
• Negation (ϕ := ¬ψ): z
ϕ
k = 1 − z
ψ
k
;
• Conjunction (ϕ := ∧
m
j=1ψj ): 1 − m +
Pm
j=1 z
ψj
k ≤ z
ϕ
k
and z
ϕ
k ≤ z
ψj
k
, j = 1, . . . , m;
• Disjunction (ϕ := ∨
m
j=1ψj ): z
ψj
k ≤ z
ϕ
k
, j = 1, . . . , m and z
ϕ
k ≤
Pm
j=1 z
ψj
k
;
• Globally (ϕ := G[t1,t2]ψ): Pk+t2
t=k+t1
z
ψ
t − (t2 − t1) ≤ z
ϕ
k
and z
ϕ
k ≤ z
ψ
t
, t = k + t1, . . . , k + t2;
• Eventually (ϕ := F[t1,t2]ψ): z
ψ
t ≤ z
ϕ
k
, t = k + t1, . . . , k + t2 and z
ϕ
k ≤
Pk+t2
t=k+t1
z
ψ
t
;
• Until (ϕ := ψ1U[t1,t2]ψ2): z
ψ2
t ≤ z
ϕ
k
, t = k + t1, . . . , k + t2 and z
ϕ
k ≤
Pk+t2
t=k+t1
z
ψ2
t
,
Pt
l=k
z
ψ1
l − (t − k) ≤ z
ψ2
t
and z
ψ2
t ≤ z
ψ1
l
, l = k, . . . , t
, t =
k + t1, . . . , k + t2.
We denote by C[ϕ, M] the set of mixed integer linear constraints obtained by the Boolean encoding ϕ for
M.
Example 3.4 Let M be the dynamical system model: xk+1 = xk+uk with the initial state x0 = 0. We get the
following set of constraints C[ϕ, M] from the MILP encoding of a bounded STL formula ϕ := F[2,3](x−w ≥ 5)
with horizon H = 3:
• System Constraints: x0 = 0, x1 = x0 + u0, x2 = x1 + u1, and x3 = x2 + u2;
• Constraints for ϕ := F[2,3](x ≥ 5): z
ϕ
0 = 1, z
ϕ1
k ≤ z
ϕ
0
, k = 2, 3 and z
ϕ
0 ≤
P3
k=2 z
ϕ1
k
;
• Constraints for ϕ1 := (x − w ≥ 5):

Mc(z
ϕ1
k −1) ≤ xk−wk−5 and xk−wk−5 ≤ Mcz
ϕ1
k −ϵ

, k =
2, 3;

The Boolean encoding of the STL formula ϕ requires 3 Boolean variables (z
ϕ
0
, z
ϕ1
2
, and z
ϕ1
3
), 9 real variables
(x0, x1, x2, x3, u0, u1, u2, w2, and w3), and 12 constraints.
3.7.2 Contract-Based Verification
Consider two functions SolveMax(M, x0, ϕ, O, H) and SolveMaxMin(M, x0, ϕ, O, H) which return u
H
by solving the following problems, respectively.
Problem 3.4 (SolveMax) Given a component M, its initial state x0, an STL formula ϕ, an objective function O, and a finite time horizon H, find the control inputs u
H such that the following optimization problem
is feasible:
Boolean: arg max
uH∈UH,wH∈WH
O

ξ(x0, u
H, wH)

s.t. C[ϕ, M] (3.18)
Whenever the SolveMax function is called, we solve Problem 3.4, an optimization problem (3.18) in standard form [21], by utilizing any available off-the-shelve optimization tools.
Problem 3.5 (SolveMaxMin) Given a component M, its initial state x0, an STL formula ϕ, an objective
function O, and a finite time horizon H, find the control inputs u
H such that the following optimization
problem is feasible:
Boolean: arg max
uH∈UH
min
wH∈WH
O

ξ(x0, u
H, wH)

s.t. C[ϕ, M] (3.19)
Similarly to Problem 3.4, we solve (3.19) first. If (3.19) is infeasible, we try to find the minimally violating
control u
H. Problem 3.4, Problem 3.5 involves nondeterministic environment inputs wH that may be

adversarial. The problem can be solved using the CEGIS schemes proposed in [118, 141], or assuming the
existence of the function that can predict the environment inputs as in [117]. In this chapter, we use the
scheme proposed in [118].
Given a contract C = (U, X, ϕA, ϕG, O), we address compatibility checking in Problem 3.1 by calling
SolveMax(M, x0, ϕA, [], H). If there exists a solution, then C is compatible. Similarly, to check consistency as in Problem 3.1, we call SolveMaxMin(M, x0, ϕA ∧ ϕG, O, H) to find a control input u
H such
that ∀wH ∈ WH, ξ(x0, u
H, wH) ∈ Gmax. If there exists a solution, then C is consistent.
We solve the optimal refinement checking problem posed in Problem 3.2 by using Algorithm 1. Lines
1-3 check whether ϕA1 → ϕA2 is a feasible formula, which amounts to checking that ϕA1∧¬ϕA2 is unsatisfiable. If this is not the case, the algorithm immediately returns C2 ⪯̸∗ C1. Lines 4-12 check that G2,max ⊆
G1,max based on Definition 3.7. We first find the rewards O1,max and O2,max for behaviors in G1,max and
G2,max, respectively. We then look for a behavior ξ(x0, u
H, wH)that belongs to G1,max∩G2,max, i.e., a behavior such that O2(ξ(x0, u
H, wH)) = O2,max and O1(ξ(x0, u
H, wH)) < O1,max. We handle the roundoff errors for the reward values O1,max and O2,max by encoding the constraints O2(ξ(x0, u
H, wH)) =
O2,max and O1(ξ(x0, u
H, wH)) < O1,max as O2,max − ϵ ≤ O2

ξ(x0, u
H, wH)

≤ O2,max + ϵ and

O1

ξ(x0, u
H, wH)

< O1,max − ϵ

∨

O1,max + ϵ < O1

ξ(x0, u
H, wH)
, respectively. If there exists
no such behavior satisfying these additional constraints, the algorithm returns C2 ⪯∗ C1; otherwise, we
find C2 ⪯̸∗ C1.
3.7.3 Contract-Based Synthesis for Multi-Component Systems
Assume a multi-component system M which consists of N components, i.e., M1, M2, and MN . We first
describe control synthesis for component Mi specified by contract Ci = (Ui
, Xi
, ϕAi
, ϕGi
, Oi). Then, we
introduce algorithms for solving the same problem for a multi-component system M = ×N
i=1Mi
, when
components are cooperating or not cooperating with each other

Algorithm 1: CheckOptRefine
Input: M, x0, C1 = (U, X, ϕA1, ϕG1, O1), C2 = (U, X, ϕA2, ϕG2, O2), H
Output: Ref ine = {⊤, ⊥}
1 u
H ← SolveMax(M, x0, ϕA1 ∧ ¬ϕA2, [], H)
2 if u
H ̸= ∅ then
3 return ⊥;
4 u
H ← SolveMaxMin(M, x0, ϕA1 ∧ ϕG1, O1, H)
5 O1,max ← O1

ξ(x0, u
H, wH)

6 u
H ← SolveMaxMin(M, x0, ϕA2 ∧ ϕG2, O2, H)
7 O2,max ← O2

ξ(x0, u
H, wH)

8 u
H ← SolveMaxMin(M, x0, ϕA2 ∧ ϕG2 ∧

O2,max − ϵ ≤ O2

ξ(x0, u
H, wH)

≤ O2,max + ϵ

∧
O1

ξ(x0, u
H, wH)

< O1,max − ϵ

∨

O1,max + ϵ < O1

ξ(x0, u
H, wH)
, O2, H)
9 if u
H ̸= ∅ then
10 return ⊤;
11 else
12 return ⊥;
13 end
If a single component Mi operates alone, the control input u
H
i
can be obtained by calling
SolveMaxMin(Mi
, xi,0, ϕAi∧ϕGi
, Oi
, H). However, finding the control inputs for components in a multicomponent system is less straightforward, especially with and without cooperation of the components.
When all the components cooperate, we obtain a composite contract by composing all the contracts
describing each component’s behaviors via cooperative composition. Since the cooperative composition
⊗ˆ
N
i=1Ci
is a reward contract, we can generate a satisfying control input u
H for the multi-component
system M by calling SolveMaxMin(M = ×N
i=1Mi
, x0 = (x
T
1,0
, · · · , xT
N,0
)
T
, ∧
N
i=1(ϕAi ∧ϕGi
),
P|c|
i=1 ciOi
,
H) where c = (c1, · · · , cN ) = (1, · · · , 1) is a weight vector.
On the other hand, the behaviors of a set of of non-cooperating components can be expressed by the
non-cooperative composition ⊗ˇ
N
i=1Ci and the reward contracts Cˇ
1, · · · , CˇN (line 1). As shown in Algorithm 2, control synthesis for non-cooperating components requires solving N optimization problems
corresponding to the N contracts Cˇ
1, · · · , CˇN (line 2-4). Finally, the trajectory of the multi-component system can be acquired by concatenating the solutions to provide an optimal solution u
H = (u
H
1
, · · · , u
H
N ) ∈
∩
N
i=1Gi,max (lin

Algorithm 2: NonCoopSyn
Input: {M1, · · · , MN }, x0 = (x
T
1,0
, · · · , xT
N,0
)
T
, {C1, · · · , CN }, H
Output: u
H
1 (Cˇ
1, · · · , CˇN ) ← ⊗ˇ
N
i=1Ci
2 for i ∈ {1, · · · , N} do
3 Ctmp ← Cˇ
i
4 u
H
i ← SolveMaxMin(×N
j=1Mj , x0, ϕAtmp ∧ ϕGtmp , Otmp, H)
5 end
6 return u
H = (u
H
1
, · · · , u
H
N )
Algorithm 3: ModelPredictiveControl
Input: {M1, · · · , MN }, x0 = (x
T
1,0
, · · · , xT
N,0
)
T
, {C1, · · · , CN }, H, Coop ∈ B, L
Output: u
L = (u
L
1
, · · · , u
L
N )
1 for k ∈ {0, 1, · · · , L − 1} do
2 if Coop = ⊤ then
3 (u
H
1
, · · · , u
H
N ) ← SolveMaxMin(×N
i=1Mi
, xk ⊗ˆ
N
i=1Ci
, H)
4 else
5 (u
H
1
, · · · , u
H
N ) ← NonCoopSyn({M1, · · · , MN }, xk {C1, · · · , CN }, H)
6 end
7 for i = {1, · · · , N} do
8 ui,k ← extractFirstMoves(u
H
i
)
9 xi,k+1 ← fi(xi,k, ui,k, wi,k)
10 end
11 end
12 return u
L = (u
L
1
, · · · , u
L
N )
We then solve the control synthesis problem (Problem 3.3) for N cooperating and non-cooperating
agents using the MPC scheme. MPC makes explicit use of the system model to obtain the control actions
which optimize a reward function [27]. It is based on iterative, finite horizon predictions of the future
output using the model of the system and its disturbances. At time step k, the current state of the system
and the disturbances are observed and an optimal control strategy is acquired for a finite time window
[k, k + H]. To be robust against potential modeling errors in the dynamical system or the environment,
only the first step of the optimal control strategy is implemented and the same steps are repeated for the
next time step k + 1.
Given the agents {M1, · · · , MN } with their initial states x0 = x1,0 · · · xN,0, the corresponding reward contracts {C1, · · · , CN }, the prediction horizon H = maxi=1,...,N (ϕAi
, ϕGi
), a Boolean variable
Coop indicating the cooperation between the agents, we adopt the MPC-based strategy in Algorithm 3
45

to synthesize control inputs for the multiple agents from time step 0 to L − 1 (line 1). If the agents are
cooperating (line 2), we use the function SolveMaxMin to find the control inputs describing the cooperating behavior of the N agents (line 3). On the other hand (line 4), we synthesize the control inputs for the
agents using Algorithm 2 (line 5). For each agent, we only implement the first control moves and update
the next system state (line 6-8). The procedure is repeated until the maximum duration of the synthesis
L is reached (line 1). SolveMaxMin or NonCoopSyn in line 3 and 5 does not always guarantee a feasible
solution (u
H
1
, · · · , u
H
N ) with the conflicting objectives of the agents.
3.8 Case Studies
We first analyze the scenario proposed in Section 3.3 using reward contracts; then, we discuss case studies
in the context of autonomous vehicles in three traffic scenarios.
3.8.1 Contract-Based Verification for the Motivating Example
For the scenario in Section 3.3, we write reward contracts for each vehicle and check contract compatibility
and consistency for a cooperative and non-cooperative composition. We then check optimal refinement
to verify that the composition optimally satisfy the system-level requirements. Let the system-level and
vehicle-level contracts C, C1, and C2 be defined, respectively, as follows:
C = (∅, {u1, u2}, ⊤,(u1, u2) ̸= (Pass, Pass), R),
C1 = ({u2}, {u1}, ⊤,(u1 ∈ {Wait, Pass}) ∧ ((u1, u2) ̸= (Pass, Pass)), R1),
C2 = ({u1}, {u2}, ⊤,(u2 ∈ {Wait, Pass}) ∧ ((u1, u2) ̸= (Pass, Pass)), R2).
46

The function R : {Wait, Pass}
2 → {0} is a zero constant objective function and C is a safety contract for
the overall system, requiring that collisions be avoided. Cooperative and non-cooperative compositions
can be computed as follows:
C1⊗ˆC2 = (∅, {u1, u2}, ⊤,(u1, u2) ̸= (Pass, Pass), R3 = R1 + R2),
C1⊗ˇC2 = (∅, {u1, u2}, ⊤,(u1, u2) ̸= (Pass, Pass),(R1, R2)).
The optimal guarantees with cooperation are G1⊗ˆ 2,max = arg maxu1,u2 R3 s.t. ((u1, u2) ∈
{Wait, Pass}
2
) ∧ ((u1, u2) ̸= (Pass, Pass)) = {(Wait, Pass)} using R3 in Table 3.3. The optimal guarantees without cooperation are G1⊗ˇ 2,max = G1,max ∩ G2,max = {(Wait, Wait)}, where
G1,max = arg maxu1 minu2 R1 s.t. (u1, u2) ̸= (Pass, Pass) = {(Wait, u2) : u2 ∈ {Wait, Pass}} and
G2,max = arg maxu2 minu1 R2 s.t. (u1, u2) ̸= (Pass, Pass) = {(u1, Wait) : u1 ∈ {Wait, Pass}}. With
cooperation, the optimal behavior of the composite is to let M2 pass first while M1 waits. Without cooperation, we observe the overall system in a deadlock where it is optimal for both M1 and M2 to wait for
the other vehicle to pass.
Both C1⊗ˆC2 and C1⊗ˇC2 refine C, since the condition on the assumptions is trivially satisfied, while
both the conditions G1⊗ˆ 2,max = {(Wait, Pass)} ⊆ {(u1, u2) : (u1, u2) ̸= (Pass, Pass)} and G1⊗ˇ 2,max =
{(Wait, Wait)} ⊆ {(u1, u2) : (u1, u2) ̸= (Pass, Pass)} hold for the guarantees. While explicitly finding
the set of optimal behaviors of a contract may be challenging, if at all possible, this is not required by
Algorithm 1. In this case study, checking optimal refinement requires solving four optimization problems
(lines 1, 4, 6, and 8 in Algorithm 1).
47

3.8.2 Contract-Based Synthesis for a Fleet of Autonomous Vehicles
We illustrate the effectiveness of the proposed framework for synthesizing controllers for a fleet of autonomous vehicles with and without cooperation on a highway merging and an intersection scenario. We
use an MPC scheme as described in Section 3.7.3. The control synthesis problem is then solved by formulating and solving a sequence of MILP problems as detailed in Section 3.7.1. We solve these problems using
Gurobi [66] on an Intel 3..4-GHz CPU with 32-GB RAM. All the vehicles have the following dynamics:
xi,k+1 = Axi,k + Bui,k, A =












1 0 ∆t 0
0 0 1 0
0 1 0 ∆t
0 0 0 1












, B =












0
∆t
0
∆t












, ∀i = 1, · · · , N, (3.20)
where ∆t is the discretization step, xi,k = (px,i,k, py,i,k, vx,i,k, vy,i,k)
T
is the state vector, (px,i,k, py,i,k) is
the (x, y)-position, (vx,i,k, vy,i,k) is the (x, y)-velocity, and ui,k = (ax,i,k, ay,i,k)
T
is the (x, y)-acceleration
of vehicle i. We assume that all the vehicles know the positions and the velocities of the surrounding
vehicles at any time step k.
We specify a reward contract Ci for each vehicle Mi as follows:
Ci = ({x
H
j̸=i
}, {x
H
i },
^
N
j=1
ϕPj̸=i
, ϕIi ∧ ϕPi ∧
^
N
j=1
ϕNC,(i,j̸=i) ∧ ϕR,i, Oi), (3.21)
where ϕPj
:= G[0,H]
((|aj | ≤ 4) ∧ (|vj | ≤ 10)) is a SNN–STL formula expressing the physical constraints
on acceleration and velocity of the surrounding vehicles. Initial condition of the vehicle is expressed using
ϕIi
:= (xi,0 = xi,0). No collision constraints can be expressed as ϕNC,(i,j)
:= G[0,H]
((|px,i − px,j | ≥
lx)∧(|py,i −py,j | ≥ ly)), where lx and ly are the minimum longitudinal and latitudinal distances between
a pair of vehicles in x and y axis that prevent a collision; the road constraints are expressed as ϕR,i :=
48

G[0,H]
((px,i, py,i) ∈ Ri), where Ri models the roads which each vehicle can visit, described as a set of
constraints. In this chapter, we use linear inequalities to define Ri
. The objective function Oi
is:
Oi =
X
H
t=0
|ax,i,t| + |ay,i,t| + |px,i,t − tx,i| + |py,i,t − ty,i| (3.22)
where ti = (tx,i, ty,i) is the i-th vehicle’s target position (or destination). The objective in (3.22) accounts
for fuel consumption, which increases with the magnitude of the acceleration, and the distance from the
target. Given the initial location of the vehicles, we generate the vehicle trajectories using an MPC scheme
with a prediction horizon of 4 s (H = 64 time steps), a control horizon of 0.0625 s (1 time step), and the
time step of ∆t = 0.0625 s. This amounts to controlling a fleet of vehicles by computing each vehicle’s
next movement every 1/16 s.
3.8.2.1 Intersection Scenario
We consider four autonomous vehicles, each specified by a reward contract, at an intersection. Driven by
its objective, each vehicle gains higher reward as it approaches its destination marked as a box with the
same color as the vehicle in Figure 3.2a. The admissible region for each vehicle includes the starting lanes,
the target lanes, and the intersection region. For instance, the blue vehicle in Figure 3.2a (vehicle 2) starts
in the bottom lane, visits the intersection, and targets the left lane. The admissible regions are marked
by the dotted red boxes in Figure 3.2a, each of which is described using four inequality constraints. We
compose the contracts with and without cooperation and compute the resulting control trajectories by
solving Problem 3.3 using Algorithm 3. Given the composite multi-vehicle system M = ×3
i=0Mi
, and the
composite contract C = ⊗ˆ
3
i=0Ci
(or ⊗ˇ
3
i=0Ci
) describing the behaviors of the composite system over a
time horizon of 20 s (L = 20 × 16 = 320 time steps), we find the control input u
L such that the multiagent system satisfies the requirements given by C. We then perform synthesis with a number of vehicles
49

ranging from 2 to 5 and ∆t from 0.0625 to 0.5 s to observe the performance and scalability of the proposed
algorithm.
3.8.2.2 Highway and Highway Merging Scenarios
We also generate the trajectories of four autonomous vehicles, specified by their reward contracts as
in (3.21) and (3.22), on an highway and an highway merging scenario for 15 s (L = 15 × 16 = 240
time steps). As in the intersection example, each vehicle aims to approach its destination, as shown in
Figure 3.2b and 3.2c, as soon as possible without violating any of the requirements in (3.21). We set the
start, the target, and the admissible regions as in Figure 3.2b and 3.2c. The admissible region Ri for the
i-th vehicle includes the starting lane and the target lane on the highway. For instance, the blue vehicle
(vehicle 2) in the merging scenario starts in the top lane on the highway and targets the merging lane. R2
includes the merging lane and both lanes on the highway, which are marked by the dotted red boxes in
Figure 3.2c. Given a composite system M = ×3
i=0Mi
, a composite contract, C = ⊗ˆ
3
i=0Ci
(or ⊗ˇ
3
i=0Ci
), and
the initial states of the vehicles, we derive u
H for the fleet of vehicles such that C is satisfied. To illustrate
the capability of our framework, we also increase the number of vehicles for the highway merging scenario
from 2 to 5 and change ∆t from 0.0625 to 0.5 s.
3.8.2.3 Results and Analysis
We first demonstrate the synthesis results of four autonomous vehicles on the intersection, highway, and
highway merging scenarios using ∆t = 0.0625 s. Figure 3.3 shows the snapshots of the trajectories of four
vehicles for the intersection scenario at time steps 11 and 16 s. When the four vehicles are not cooperating,
we observed defensive behaviors from the vehicles aiming to avoid collisions which lead the red, green,
and blue vehicles to a deadlock as shown in Figure 3.3b. On the other hand, when the agents cooperate,
50

the vehicles avoided a deadlock while exhibiting less conservative behaviors without sharp decelerations
and turns aiming to minimize the costs associated with fuel consumption (Figure 3.3d).
The trajectories of four vehicles in the highway and highway merging scenario are also given in Figure 3.4 and 3.5. In the highway scenario, we observed that all cooperating vehicles reached their destination
lanes within 6 s, whereas non-cooperating vehicles took longer, reaching their designated lanes at 7.5 s. In
the non-cooperative case, we again observed more conservative behaviors where vehicles act defensively
to avoid a collision. For instance, the blue vehicle (vehicle 2) in Figure 3.5 at t = 6 s decelerated and
almost changed its lane due to the red vehicle (vehicle 0)’s intrusive maneuver. On the other hand, in the
cooperative case, the blue vehicle was less defensive, since it was aware of the other vehicles’ objectives.
Table 3.4 summarizes the performance of the synthesis schemes proposed in Algorithm 3 for both
cooperating and non-cooperating scenarios. The table includes the execution times and the total fuel
consumption of all vehicles, which is calculated as PL−1
i=1 |ui
|∆t. Additionally, the table includes entries
labeled Scenario Terminated, which is used when Algorithm 3 lead the vehicles to a collision. The execution time increased as the number of vehicles increased, and the time step became finer. In densely
packed scenarios with more vehicles, there are limited maneuvers that each vehicle can make, making
it more challenging to find feasible control inputs with larger time steps. However, as the time step becomes smaller, the proposed scheme tends to find control inputs that lead the fleet of vehicles to satisfy
reward contracts more effectively. The results also indicate that fuel consumption was generally lower in
cooperating scenarios, which suggests that cooperation led to more efficient travel to their destinations.
Non-cooperative composition took more time than cooperative composition due to the MILP problem that
needs to be solved for each vehicle.
51

Table 3.4: Experimental results of all scenarios. Scenario Terminated indicates the termination of the algorithm 3 due to a crash between the vehicles in the simulation.
Scenario Cooperation
∆t [s]
0.5 0.25 0.125 0.0625
Execution Time [s], Fuel Consumption (PL−1
i=1 |ui|∆t) [m/s]
Intersection, 2 vehicles True 20.70, 0 33.11, 0 116.92, 0.01 452.14, 0.03
False 20.81, 0 40.80, 0 147.25, 0 569.88, 0
Intersection, 3 vehicles True 21.12, 28.49 56.18, 32.41 245.11, 29.18 1744.09, 41.99
False 26.58, 22.65 Scenario Terminated 353.64, 47.67 Scenario Terminated
Intersection, 4 vehicles True 22.73, 25.25 78.05, 31.93 328.81, 29.83 1807.47, 36.59
False 34.84, 33.71 214.46, 38.71 Scenario Terminated Scenario Terminated
Intersection, 5 vehicles True Scenario Terminated 132.76, 65.80 514.71, 79.11 2991.68, 48.95
False Scenario Terminated Scenario Terminated Scenario Terminated Scenario Terminated
Highway, 2 vehicles True 15.66, 19.17 29.41, 19.10 109.71, 19.18 430.80, 19.08
False 35.81, 19.00 15.75, 18.50 133.92, 20.14 517.82, 20.10
Highway, 3 vehicles True Scenario Terminated 46.66, 47.67 177.00, 52.01 713.16, 47.59
False 25.98, 38.39 63.92, 68.87 243.05, 63.26 958.56, 56.34
Highway, 4 vehicles True Scenario Terminated 65.09, 54.50 252.73, 64.69 1018.19, 55.05
False Scenario Terminated 100.55, 82.39 391.82, 76.80 1660.75, 70.40
Highway, 5 vehicles True Scenario Terminated 90.17, 65.00 332.08, 73.31 1463.26, 75.81
False Scenario Terminated 145.07, 92.98 564.71, 88.52 2476.41, 81.27
Merging, 2 vehicles True 15.95, 30.46 46.79, 30.91 173.15, 33.13 692.67, 33.43
False 16.49, 30.14 52.34, 33.47 198.01, 48.14 775.87, 37.52
Merging, 3 vehicles True 20.59, 70.81 72.48, 77.29 283.02, 74.94 1148.06, 76.89
False 25.71, 84.45 89.72, 82.09 345.07, 86.68 1367.33, 88.28
Merging, 4 vehicles True 27.92, 96.79 100.73, 102.13 392.63, 112.30 1675.95, 104.05
False 37.56, 111.12 132.77, 118.15 393.75, 122.30 2301.18, 122.39
Merging, 5 vehicles True 36.01, 116.14 130.96, 119.97 526.00, 122.21 2290.14, 129.23
False 65.68, 131.95 289.46, 136.50 830.81, 76.75 2873.05, 144.17
3.9 Chapter Summary
We proposed an extension of the A/G contract framework that explicitly includes objectives as first-class
entities, along with assumptions and guarantees, and provides additional composition operators to capture
component interactions that involve (non-)cooperation. We illustrated the expressiveness and effectiveness of the proposed framework on case studies in the context of autonomous vehicles with different
objectives and different cooperation schemes in several traffic scenarios. There are several possible extensions of this work, including further investigation of the properties of the newly defined operators, the
relationship between reward contracts and the contract meta-theory in the literature [16], and concrete
instances of the framework in the context of multi-agent dynamical systems and hybrid games.
52

(a) Vehicle destinations for the intersection scenario.
(b) Vehicle destinations for the highway scenario.
(c) Vehicle destinations for the highway merging scenario.
Figure 3.2: Feasible routes for the intersection, highway, and highway merging scenarios.
53

(a) Without cooperation, 11 s (b) Without cooperation, 16 s
(c) With cooperation, 11 s (d) With cooperation, 16 s
Figure 3.3: Intersection scenario for four vehicles without cooperation (left) and with cooperation (right).
Figure 3.4: Highway scenario for four vehicles without cooperation (top) and with cooperation (bottom).
54

Figure 3.5: Highway merging scenario for four vehicles without cooperation (top) and with cooperation
(bottom).
55

Chapter 4
Quantitative Design of Cyber-Physical Systems Under Uncertainties
This chapter introduces a compositional framework of stochastic assume-guarantee (A/G) contracts to
address the challenges in the design and verification of cyber-physical systems (CPSs) under uncertainty.
It utilizes StSTL to effectively capture probabilistic behaviors and formulate of optimization problems for
both qualitative and quantitative verification. By introducing quantitative semantics for StSTL in terms of
robustness estimates, the chapter provides a novel approach to reason about the satisfaction margins of
probabilistic requirements. These concepts are further developed into effective algorithms for quantitative verification and parameter synthesis, with applications demonstrated in multi-sensor perception and
adaptive cruise control systems.
4.1 Introduction
Design and verification of modern CPSs are challenging for several reasons. The number of heterogeneous
requirements to be satisfied has increased as safety-critical CPSs are deployed to perform missions under
strict regulations. The design space size has also expanded, requiring design decisions over multiple interconnected dimensions, e.g., control reliability, sensing accuracy, and energy consumption. Finally, CPSs
operate in the presence of uncertainty due, among other sources, to noise and disturbances in the system
as well as the highly dynamic, unstructured, and even adversarial, environments.
56

Several approaches have been proposed to aid design and verification of CPSs [125]. Among these,
the approaches based on A/G contracts [15, 97, 96], often specified using temporal logics [115, 84], offer
effective mechanisms to analyze system behaviors in a modular way and reason about the correctness of
systems assembled from independently developed components [124, 102, 99, 104, 39]. However, automated
compositional reasoning about system properties in the presence of uncertainty remains challenging.
This chapter addresses this challenge by building on a compositional framework of stochastic A/G
contracts [100], which relies on StSTL, a specification language for capturing probabilistic behaviors, to
conveniently balance expressiveness with support for computationally tractable encodings of analysis and
synthesis tasks in terms of optimization problems. StSTL contracts have shown to be effective when dealing
with qualitative verification tasks, aiming to establish whether a system, or a class of systems, satisfies
a certain property with high probability by verifying, for example, that a stochastic system satisfies a
stochastic contract, or that a stochastic contract refines another stochastic contract. However, many design
problems are rather concerned with quantitative reasoning, aiming to find, for instance, by which “margin”
a certain probability bound on the satisfaction of a requirement can be guaranteed. While a number of
efforts have resorted to notions of robust satisfaction of logic formulas [52, 49, 48, 44] in a deterministic
setting, effective frameworks to formulate and solve these problems in a stochastic setting have been
elusive.
Our contributions is summarized as follows. We introduce quantitative semantics for StSTL in terms of
a robustness estimate, capable of quantifying the degree of satisfaction of an StSTL formula. The robustness
estimate allows reasoning about the robust satisfaction of probabilistic temporal constraints. Moreover,
we show that it can be mapped to another estimate, termed predicate robustness estimate, which allows
translating often intractable probabilistic constraints into more tractable, deterministic constraints over
the statistics, e.g., expectations and variances, of the system variables.
57

Based on the quantitative semantics of StSTL, we formulate quantitative verification and parameter
synthesis problems over parametric system models and StSTL contracts. In particular, we show that the
parameter synthesis problem can be cast as a bi-level optimization problem. Moreover, for linear systems
with additive Gaussian uncertainty [147, 111], the robust satisfaction of a fragment of bounded-time StSTL
can be encoded into MILPs or MIQCPs which can be effectively solved using off-the-shelf solvers. Based
on these encodings, we provide effective algorithms to solve the quantitative verification and parameter
synthesis problems with StSTL contracts. We implement the proposed framework and algorithms in the
PyCASSE toolbox and illustrate their effectiveness on the design of a multi-sensor perception and ACC
systems.
4.2 Backgrounds
We introduce the class of stochastic systems we consider in this chapter together with background notions
on bi-level optimization. We then provide a brief discussion of the related work.
4.2.1 Discrete-Time Stochastic Control System
We use contracts to specify the behaviors of discrete-time stochastic systems, defined below. Let (Ω, F, P)
be a probability space, where Ω is a set of outcomes, F is a set of events, and P : F → [0, 1] is a function
that assigns probabilities to events [50]. The cdf of a random variable (RV) w is defined as the probability
of the event {w ≤ w}, i.e., Fw (w) = P{w ≤ w}.
Definition 4.1 (Discrete-Time Stochastic Control System) A discrete-time stochastic control system
(dt-SCS) is a tuple (X, U, Z, W, V, w, v, f, g, h), where, at time step k ∈ N0:
• xk ∈ X is the system state and X is the state space;
• uk ∈ U is the control input and U is the control input space;
58

• zk ∈ Z is the measurement vector and Z is the measurement space;
• wk ∈ W is the process input and W is the process input space;
• vk ∈ V is the measurement input and V is the measurement input space;
• w := {wk : Ω → W, k ∈ N0} and v := {vk : Ω → V, k ∈ N0} are random processes, consisting of
sequences of random vectors wk and vk over the probability space (Ω, F, P);
• The system process model f : X × U × W → X, the measurement model g : X × V → Z , and the
control law h : Z
k+1 → U are measurable functions [50] which describe the evolution of the stochastic
system. Given the value of the initial state x0, the system dynamics can be written as:
xk+1 = f(xk, uk, wk), zk = g(xk, vk), uk = h(z0, . . . , zk). (4.1)
A behavior of a dt-SCS is a sequence: ξ = ξ0, ξ1, · · · , where ξk = (x
T
k
, uT
k
, zT
k
, wT
k
, vT
k
)
T ∈
R
nX+nU +nZ +nW +nV and nX, nU , nZ, nW , nV are the dimensions of the corresponding spaces. We also
denote the behavior starting at time step k by (ξ, k) = ξk, ξk+1, · · · .
4.2.2 Bi-Level Optimization
A bi-level optimization problem is an optimization problem which embeds another optimization problem
as a constraint. Its variables can be partitioned into two vectors, a ∈ R
n
and b ∈ R
m, and an optimal
solution a for the upper-level optimization problem is to be selected over the set of optimal solutions B∗
59

of the lower-level optimization problem. A generic bi-level optimization problem can be posed in the
form [40]:
min
a∈Rn
F (a, b) s.t. G (a, b) ≤ 0, (4.2)
b ∈ arg min
b∈Rm
{f (a, b) : g (a, b) ≤ 0}, (4.3)
where (4.2) is the upper-level optimization problem, with its objective function F : R
n × R
m → R and
constraint function G : R
n × R
m → R, and (4.3) is the lower-level problem with its objective function
f : R
n × R
m → R and constraint function g : R
n × R
m → R.
4.2.3 Related Work
A few specification languages [122, 75, 79, 100, 78, 82] have been proposed to capture probabilistic behaviors of hybrid systems for verification and synthesis under uncertainty. A comparison between some of
these approaches can be found in the literature [100]. Robust semantics were formulated for StTL [78],
which has similar expressiveness as StSTL, to capture margins of satisfaction in terms of probability values
and predicate values. In this chapter, we define robust semantics for StSTL in the probability space and
then show that they can be directly mapped to a robustness estimate in the signal space, which is only
a function of the statistics of the system variables and can be regarded as the “determinized” version of
the original StSTL robustness estimate. RiSTL has also been proposed to incorporate risk metrics into a
probabilistic STL framework [82]. A fragment of RiSTL can be translated into STL formulas in the spirit
of the determinization approach adopted in this chapter. Differently from previous approaches, our focus
is on an automated compositional framework for verification and design space exploration via notions of
refinement that help quantify the level of uncertainty in multi-component systems and its propagation
across different abstraction layers in a design.
60

The parameter synthesis problems in this chapter can be cast as bi-level optimization problems, which
are known to be NP-hard [68]. Simply proving the optimality of a solution is also shown to be NP-hard for
this class of problems [144]. When the lower-level problem is convex and sufficiently regular [131], the bilevel problem can be reduced to a single optimization problem [11]. On the other hand, nested approaches
using heuristic algorithms are applicable under weaker assumptions [131] but tend to be computationally
expensive and provide poor optimality guarantees. Our algorithm, based on the nested approach, leverages
the particular structure of the bi-level problems of interest, where the objective of the lower-level problem
serves as the constraint for the upper-level problem. We solve the lower-level problem over partitions of
the upper-level solution space and select only those partitions such that the solutions of the lower-level
problem always satisfy the upper-level constraint. We can then effectively explore the upper-level solution
space while providing optimality guarantees within a user-defined tolerance based on the granularity of
the partitions.
4.3 Quantitative Reasoning with StSTL
Under certain assumptions on the system model, the qualitative satisfaction of an StSTL formula can be
encoded into a set of deterministic constraints over the statistics of the system variables [100]. Consider,
for instance, the encoding of an AP. If the inverse of the cdf Fµ(ξk)
is available, then we can translate the
chance constraint µ
[p]
:= P{µ (ξk) ≤ 0} ≥ p into the deterministic constraint F
−1
µ(ξk)
(p) ≤ 0. Previous
work leverages such a transformation to provide sound encodings of the satisfaction of bounded-time
StSTL formulas for discrete-time stochastic systems in terms of more tractable, deterministic mixed integer
linear constraints [100].
While the qualitative semantics of StSTL [100] can be used to provide a yes-or-no answer to whether
a system satisfies a formula, in this dissertation, we extend this approach to deal with the quantitative
61

semantics of bounded-time StSTL and the solution of robust contract-based verification and synthesis
problems. Furthermore, we extend this logic to support parameters in the predicates.
4.3.1 Robustness Semantics of StSTL
By extending the quantitative semantics of STL [49], we define the quantitative semantics of StSTL via a
robustness estimate ρ, which maps a set of system behaviors to a real number as follows:
ρ(µ
[p]
, ξ, k) = P{µ(ξk) ≤ 0} − p
ρ(¬ϕ, ξ, k) = −ρ(ϕ, ξ, k)
ρ(ϕ ∧ ψ, ξ, k) = min(ρ(ϕ, ξ, k), ρ(ψ, ξ, k))
ρ(ϕU[t1,t2]ψ, ξ, k) = max
i∈[k+t1,k+t2]
(ρ(ψ, ξ, i), min
j∈[k,i−1]
ρ(ϕ, ξ, j))
In the same way the quantitative semantics of STL have the fundamental properties of soundness [48,
Theorem 1] and correctness [48, Theorem 2], the robustness estimate ρ of an StSTL can be proven to be
sound and correct. Intuitively, ρ measures the margin between P{µ(ξk) ≤ 0} and p. (ξ, k) satisfies µ
[p]
with robustness ρ0, if it satisfies µ
[p+∆p]
for any perturbation ∆p less than or equal to ρ0, i.e., ∀∆p ∈ [0, ρ0],
(ξ, k) |= µ
[p+∆p] holds.
Example 4.1 Consider a sensor whose noise can be modeled by a normally distributed RV x with expectation
E[x] = 0 and variance V ar[x] = 1. We want to find the robustness margin by which the sensor satisfies the
StSTL formula (x − 2)[0.84], stating that “x is less than or equal to 2 with probability larger than or equal to
0.84.” Let v = x − 2. As shown in Figure 4.1, the robustness estimate is ρ0 = P{v ≤ 0} − 0.84 ≈ 0.14.
Therefore, for any perturbation ∆p ≤ 0.13 ≤ ρ0, we still have x |= (x − 2)[0.84+∆p]
. In other words, the
noise x is less than or equal to 2 with probability as large as 0.97.
62

0 = ℙ ≤ 0 − ≈ 0.14
0
′
= −1 + 0 − −1 ≈ 1
−1 = ℙ ≤ −1 ≈ = 0.84
0 = ℙ ≤ 0 ≈ 0.98
−1 ≈ −1 −1 + 0 = 0
Figure 4.1: Robustness estimate ρ and predicate robustness estimate ρ
′
for the predicate P{v ≤ 0} ≥ p = 0.84
shown on the cdf Fv of v, where v ∼ N(−2, 1). ρ0 = P{v ≤ 0} − 0.84 ≈ 0.14 and ρ
′
0 = F
−1
v
(0.84 + ρ0) −
F
−1
v
(0.84) ≈ 1 where F
−1
v
is the inverse cdf of v.
4.3.2 Deterministic Encoding of Robust StSTL Satisfaction
Inspired by the qualitative encoding of the satisfaction of an StSTL formula into deterministic constraints,
we look for transformations of the probabilistic robustness estimate into a deterministic estimate. We
assume that the inverse of the cdf Fµ(ξk)
is available. We can then define the predicate robustness estimate
ρ
′ of an StSTL AP as follows:
ρ
′
(µ
[p]
, ξ, k, ρ) = F
−1
µ(ξk)
(p + ρ) − F
−1
µ(ξk)
(p),
(4.4)
where ρ
′ measures the margin between F
−1
µ(ξk)
(p + ρ) and F
−1
µ(ξk)
(p). ρ
′ preserves the order and sign of ρ
by the monotonicity of F
−1
µ(ξk)
.
ρ
′
can then be used in the same way as ρ to quantitatively reason about the satisfaction of an StSTL
formula. (ξ, k) satisfies µ
[p] with predicate robustness ρ
′
0
if, for any perturbation ∆µ less than or equal
63

Chance Constraint

≔ ℙ ≤ 0 ≥
Determinized Chance Constraint

−1 ≤ 0
Robustness Estimate

, , ≔ ℙ ≤ 0 −
Determinized Robustness Estimate

′ , ≔
−1 + −
−1
Qualitative
Quantitative
Figure 4.2: Relationships between qualitative and quantitative satisfaction of StSTL APs and their deterministic
encodings.
to ρ
′
0
, (ξ, k) |= (µ + ∆µ)
[p] holds. Since P{µ(ξk) ≤ 0} = p + ρ if and only if F
−1
µ(ξk)
(p + ρ) = 0, and
ρ = P{µ(ξk) ≤ 0} − p, by the robustness semantics of StSTL, we conclude:
ρ
′
(µ
[p]
, ξ, k) = −F
−1
µ(ξk)
(p).
(4.5)
Example 4.2 Consider the StSTL AP v
[0.84] = (x − 2)[0.84] in Example 4.1. As shown in Figure 4.1, we have
ρ
′
0 = −F
−1
v
(0.84) ≈ 1 and, accordingly, (ξ, k) |= (v + ∆µ)
[0.84] for all ∆µ ≤ 1 ≤ ρ
′
0
. In other words, with
probability larger than or equal to 0.84, the sensor noise x is less than or equal to c, with c as small as 1.
Figure 4.2 summarizes the relationships between qualitative and quantitative satisfaction of an StSTL
AP and their encodings into deterministic constraints. The robustness estimate ρ (bottom-left constraint in
Figure 4.2) provides a quantitative measure of satisfaction for the StSTL AP µ
[p]
as a real number between
−1 and 1. We can convert ρ into a predicate robustness estimate ρ
′
(bottom-right constraint in Figure 4.2),
which translates a margin defined in the probability space into a margin in terms of the statistics of the
predicate µ and, ultimately, the statistics of the system variables. ρ
′
can assume any real value.
4.3.3 Parametric Stochastic Signal Temporal Logic
Parametric StSTL (PStSTL) extends StSTL [100] with parameters. Let π ∈ Π be a set of parameters partitioned into two disjoint sets of signal parameters, πs = {s1, s2, . . .}, with domain Πs, and probability
64

threshold parameters, πp = {p1, p2, . . .}, with domain Πp. We denote a PStSTL formula ϕ parametrized by
π by ϕ(π). For example, ϕ(π) := F[0,5](x + s)
[p] has parameter set π = {s, p}.
4.4 Problem Formulation
We express the sets A and G of a contract C = (A, G) using StSTL formulas ϕA and ϕG, respectively. The
formula ϕC = ϕA → ϕG specifies the set of behaviors of any valid implementation of C. Operations and
relations between assumptions and guarantees in contracts can then be mapped to operations and relations
between formulas [100]. Compatibility, consistency, and refinement checking can be translated into satisfiability or validity checking of formulas. Robust verification translates, instead, into robust satisfaction
and robust refinement problems, defined below.
Problem 4.1 (Robust Satisfaction) Given a stochastic system M, a stochastic contract C = (ϕA, ϕG),
and ρ
∗ ∈ R≥0, check whether M satisfies C with robustness (at least) ρ
∗
, written M |=ρ
∗ C, i.e., whether
ρ(ϕC, ξM, k) ≥ ρ
∗
for all system behaviors (ξM, k).
Problem 4.2 (Robust Refinement) Let C1 = (ϕA1, ϕG1) and C2 = (ϕA2, ϕG2) be stochastic contracts
defined on a stochastic system M. Given ρ
∗ ∈ R≥0, check whether C2 refines C1 with robustness (at least) ρ
∗
,
written C2 ⪯ρ
∗ C1, i.e., whether ρ(ϕA1 → ϕA2, ξM, k) ≥ ρ
∗ and ρ(ϕC2 → ϕC1
, ξM, k) ≥ ρ
∗
for all system
behaviors (ξM, k).
On the other hand, we cast design space exploration problems as parameter synthesis problems where
a set of optimal parameter values must be selected such that the contracts are satisfied. To formulate the
problem, we first introduce parametric systems and contracts.
During the design process, some constants in the stochastic system may be regarded as design parameters. We represent such scenario with a parametric stochastic system (component) M(πM), where πM is a
65

set of parameters and ΠM is the domain for πM. Similarly, some elements in the stochastic contract specification may also be parametrized. We model such scenario with a parametric stochastic contract which
has assumptions and guarantees written in PStSTL, i.e., C(πC) = (ϕA(πC), ϕG(πC)), where πC is a set of
parameters, and ΠC is the domain for πC.
Problem 4.3 (Parameter Synthesis) Given a parametric stochastic system M(πM), a parametric stochastic contract C(πC) = (ϕA(πC), ϕG(πC)), and a cost function J : ΠC × ΠM → R, find an optimal set of
parameters π = πC ∪ πM such that M(πM) |=ρ
∗ C(πC).
Problem 4.3 can be written as a bi-level optimization problem:
min
π∈ΠC ×ΠM
J(π) s.t. ρ(ϕC (πC ), ξM, k) ≥ ρ
∗
(4.6)
(ξM, k) ∈ arg min
(ξM,k)
{ρ(ϕC (πC ), ξM, k) : (ξM, k) |= ϕA(πC )} (4.7)
(4.6) is the upper-level problem and (4.7) is the lower-level problem. Problem (4.7) searches for system
behaviors that minimize the robustness estimate ρ(ϕC(πC), ξM, k). In (4.7), we require that ϕA(πC) hold
since we are interested in behaviors which robustly satisfy the contract ϕC(πC) under valid environments.
If the resulting minimum robustness estimate ρmin(ϕC(πC), ξM, k) for the lower-level problem is larger
than or equal to ρ
∗
, then all the system behaviors robustly satisfy ϕC(πC). Only if the parameters provide
such a guarantee, they are considered as the feasible space for the upper-level problem (4.6), where we
search for the set of optimal parameter values π
∗
. We can also synthesize parameters such that refinement
is guaranteed to hold robustly.
Problem 4.4 (Parameter Synthesis Under Refinement) Let C1 = (ϕA1, ϕG1) be a stochastic contract
and C2(πC) = (ϕA2(πC), ϕG2(πC)) be a parametric stochastic contract defined on a parameteric stochastic
system M(πM). Given a cost function J : ΠC × ΠM → R, find an optimal set of parameters π = πC ∪ πM
such that C2(πC) ⪯ρ
∗ C1 and M2(πM) |=ρ
∗ C2(πC).
66

Problem 4.4 can also be written as a bi-level optimization problem:
min
π∈ΠC ×ΠM
J(π) s.t. ρ(ϕ⪯G (πC ) ∧ ϕC2(πC ), ξM, k) ≥ ρ
∗
(4.8)
(ξM, k) ∈ arg min
(ξM,k)
{ρ(ϕ⪯G (πC ) ∧ ϕC2(πC ), ξM, k) : (ξM, k) |= ϕ⪯A (πC ) ∧ ϕA1} (4.9)
where ϕ⪯A
(πC) := ϕA1 → ϕA2(πC) and ϕ⪯G
(πC) := ϕC2
(πC) → ϕC1
are the conditions for the robust
refinement C2(πC) ⪯ρ
∗ C1 to hold, respectively; ϕC2
(πC) is the condition for M2(πM) |= C2(πC) to
hold; (4.8) is the upper-level, and (4.9) is the lower-level problem. Problem (4.9) searches for the minimum
robustness value for the refinement under the constraints that the system is implementable and operates
in a valid environment. If the minimum robustness estimate ρmin(ϕ⪯G
(πC) ∧ ϕC2(πC), ξM, k) is larger
than or equal to ρ
∗
, we solve (4.8) to find the set of optimal parameter values π
∗
. In the following, we
discuss effective methods to solve the problems above under additional assumptions on the system.
4.5 Deterministic Encoding of StSTL Satisfaction
Given the stochastic system model, the predicate robustness estimate (4.5) allows translating the robust
satisfaction of an StSTL formula into a set of deterministic mixed integer constraints which can be used
to formulate the quantitative verification problems in Section 4.4. The verification problems can be used
as elements for the solution of the parameter synthesis problems. In this chapter, we instantiate these
problems for the class of discrete-time linear systems with Gaussian process and measurement inputs,
expressive enough to capture a large number of applications [147, 61, 54]. We assume that the dt-SCS M
is governed by the following dynamics:
xk+1 = Axk + Buk + wk, zk = Cxk + vk, uk = Dzk + E, (4.10)
67

where A ∈ R
nX×nX , B ∈ R
nX×nU , C ∈ R
nZ ×nX , D ∈ R
nU ×nZ , E ∈ R
nU ×1
, and the process and
measurement inputs are white Gaussian independent processes with wk ∼ N (0, Q) and vk ∼ N (0, R)
∀ k ∈ N0, Q ∈ R
nX×nX and R ∈ R
nZ ×nZ being the process and measurement input covariance matrices,
respectively. Let StSTL APs be in the form P{µ(ξk) ≤ 0} ≥ p with:
µ(ξk) = a
T xk + b
T uk + c
T
zk + d
T wk + e
T
vk + f, (4.11)
where a ∈ R
nX×1
, b ∈ R
nU ×1
, c ∈ R
nZ ×1
, d ∈ R
nW ×1
, e ∈ R
nV ×1
, and f ∈ R. We can then state the
following result.
Theorem 4.1 For a stochastic system M governed by (4.10) and the StSTL AP P{µ(ξk) ≤ 0} ≥ p with µ(·)
in (4.11), the predicate robustness estimate (4.5) is equivalent to
ρ
′
k
(µ
[p]
, M) = −E[µ(ξk)] − F
−1
(p) σµ(ξk)
, (4.12)
where E[µ(ξk)] and V ar[µ(ξk)] = σ
2
µ(ξk)
can be computed as:
E[µ(ξk)] = βαkx0 + β
X
k
i=1
α
k−iBE + b
T E + f, (4.13)
V ar[µ(ξk)] = X
k
i=1
(βαk−i
)Q(βαk−i
)
T + d
TQd + γRγT +
X
k
i=1
(βαk−i−1BD)R(βαk−i−1BD)
T
, (4.14)
F
−1
(·) is the inverse cdf of a standard Gaussian RV, α = A + BDC, β = a
T + b
T DC + c
T C, and
γ = b
T D + c
T + e
T
.
Proof: From (4.10), xk, uk, and zk are linear combinations of the Gaussian processes wk and vk; thus,
they follow Gaussian distributions. µ(ξk) is a linear combination of xk, uk, zk, wk, and vk; hence, µ(ξk)
68

follows a Gaussian distribution. By substituting xk, uk, and zk in (4.11), we get exact expressions for µ(ξk)
which is normally distributed. From this expression, we obtain (4.13) and (4.14). □
Given the deterministic encoding of an StSTL AP in (4.12), the satisfaction of a bounded-time StSTL formula ϕ can be encoded as a conjunction of deterministic constraints by applying the same techniques proposed in the literature for StSTL [100]. Quantitative encoding requires, however, taking the min and max
of the robustness estimates. We encode these constraints by using the methods previously proposed for
robust satisfaction of STL formulas [117] into mixed integer constraints. In the general case, the deterministic encoding of bounded-time StSTL satisfaction becomes a mixed integer nonlinear program (MINLP)
which is usually intractable. However, if f in (4.11) and p in (4.5) are the only parameters and a piecewise linear approximation of F
−1
(·) is available, the encoding reduces to a MILP that can be effectively
solved [80], as further exemplified below.
Example 4.3 Consider a dt-SCS M and the PStSTL formula ϕ(c, p) := G[0,2](x − c)
[p] where c ∈ [0, 5] and
p ∈ [0.85, 0.95]. The initial state is x0 = 0; the system dynamics are xk+1 = xk + wk; and wk ∼ N (1, 2)
for each time step k = 0, 1, 2. The distributions of xk at each time step k can be found as follows: x0 = 0,
x1 = x0+w0 ∼ N (1, 2), and x2 = x1+w1 ∼ N (2, 4). The robustness estimate is ρk = P{xk −c ≤ 0}−p,
but we resort to the predicate robustness ρ
′
k
(ϕ(c, p), M) = −E[xk − c] − Fg−1 (p) σ[xk − c], k = 0, 1, 2,
from (4.12), where Fg−1 (p) is a piecewise linear approximation of F
−1
(p). From [117], we get the robustness
ρ
′
(ϕ(c, p), M) = min(ρ
′
0
, ρ′
1
, ρ′
2
), where the min operator encodes the globally (G) operator. The constraint
ρ
′
(ϕ(c, p), M) ≥ ρ
∗
enforces the robust satisfaction of ϕ(c, p).
If the elements in Q or R are further used as parameters, quadratic terms are introduced in the expression for V ar[µ(ξk)] = σ
2
µ(ξk)
; hence, the encoding reduces to a MIQCP, for which there are also a number
of effective solution methods [22] and off-the-shelf tools.
69

Optimal Parameters:
∗ =
∗
,
∗
Cost Function
,
Design Space
Π = Π ∪ Π
Maximum
Partitions

1
2

Components Contracts
1
2

Problem
Lower-Level
Problem
Optimal Parameter Value Selection
Upper-Level
Problem
Design Space
Partition
SAT Partitions: Π
+
Partition
Π
SAT,
UNSAT, or UNDET
MIP Translation
Robustness Estimate: ′
Figure 4.3: Overview of the proposed framework for finding an optimal set of parameter values for a stochastic
system.
4.6 Robust Verification and Parameter Synthesis
Our automated framework addresses the problems formulated in Section 4.4 using the encoding detailed
in Section 4.5. Figure 4.3 depicts the overall structure of the framework, taking as inputs the component
models, the contracts, the problem, the cost function, the design space, and the maximum number of
partitions used for parameter synthesis. The framework either returns 1) the robustness margin by which
the system satisfies the contracts or 2) a set of optimal parameters with respect to the cost function.
We denote a set of mixed integer constraints, encoding the satisfaction problem for StSTL formula
ϕ and the stochastic system M at time step k, by Ck

ϕ, M
. The inequality ρ
′
k

ϕ, M) ≥ ρ
∗
is then a
constraint in Ck

ϕ, M
. A behavior (ξM, k) of M satisfies an StSTL formula ϕ, i.e., (ξM, k) |= ϕ, if
Ck

ϕ, M
is feasible.
7

Algorithm 4: f indOptP aram(M(πM), C(πC), Π, J, N)
input : A Parameteric System, M(πM),
A Parameteric Contract, C(πC),
A Parameter Space, Π = ΠC ∪ ΠM,
A Cost Function, J : ΠC × ΠM → R,
Maximum Number of Partitions, Nmax
output: A Set of Optimal Parameter Values, π
∗ = π
∗
C ∪ π
∗
M ∈ Π
1 Π+, Π− ← ∅, ΠU ← {Π}, rmin ← ∞
2 while ΠU ̸= 0 and |Π+| + |Π−| + |ΠU | ≤ Nmax do
3 Πcurr ← deqeue(ΠU )
4 if isSATPartition(M(πM), C(πC), Πcurr) then
5 Π+ ← Π+ ∪ Πcurr
6 end
7 else if isUNSATPartition(M(πM), C(πC), Πcurr) then
8 Π− ← Π− ∪ Πcurr
9 end
10 else
11 ΠU ← ΠU ∪ paramSpacePartition(Πcurr)
12 end
13 end
14 for Πcurr in Π+ do
15 if maxπ∈Πcurr J(π) > rmax then
16 π
∗ ← arg minπ∈Πcurr
J(π)
17 rmin ← J(π
∗
)
18 end
19 end
20 return π
∗
Problem 4.1. Given the stochastic system M, a stochastic contract C = (ϕA, ϕG), and ϕC := ϕA →
ϕG, we compute the minimum value of the predicate robustness ρ
′
k
(ϕC, M) by solving the following
optimization problem:
min
(ξM,k)
ρ
′
k

ϕC , M
s.t. Ck

ϕC , M
\ (ρ
′
k

ϕC , M
≥ ρ
∗
)
If the minimum value of ρ
′
k
(ϕC, M) is larger than or equal to ρ
∗
, then M satisfies C with robustness (at
least) ρ
∗
, i.e., M |=ρ
∗ C.

Problem 4.2. Given C1 = (ϕA1, ϕG1) and C2 = (ϕA2, ϕG2) where ϕ⪯A
:= ϕA1 → ϕA2 and ϕ⪯G
:=
(ϕA2 → ϕG2) → (ϕA1 → ϕG1), we compute the minimum values of ρ
′
k
(ϕ⪯A
, M) and ρ
′
k

ϕ⪯G
, M) by
solving the following optimization problems.
min
(ξM,k)
ρ
′
k

ϕ⪯G, M
s.t. Ck

ϕ⪯G, M
\ (ρ
′
k

ϕ⪯G, M
≥ ρ
∗
)
min
(ξM,k)
ρ
′
k

ϕ⪯A, M
s.t. Ck

ϕ⪯A, M
\ (ρ
′
k

ϕ⪯A, M
≥ ρ
∗
)
If both values are larger than or equal to ρ
∗
, C2 refines C1 with robustness (at least) ρ
∗
, i.e., C2 ⪯ρ
∗ C1.
Problem 4.3. We solve the parameter synthesis problem using Algorithm 4. Given a parametric
stochastic system M(πM), a parameteric stochastic contract C(πC), the parameter space Π = ΠC × ΠM,
a cost function J(π), and the maximum number of partitions Nmax, we find the set of optimal parameter
values π
∗ = (π
∗
C
, π∗
M) by solving the bi-level optimization problem defined in (4.6) and (4.7).
We apply a nested method, where the lower-level problem (4.7) is solved for each partition of the upperlevel problem parameter space. The parameter space Π is split into multiple partitions and each partition
is classified as a SAT partition, an UNSAT partition, or an UNDET partition. Any set of parameter values
chosen within a SAT partition ensures that M(πM) |=ρ
∗ C(πC). There exists no set of parameter values
in an UNSAT partition such that M(πM) |=ρ
∗ C(πC) holds, while a set of parameter values chosen from
an UNDET partition may or may not ensure M(πM) |=ρ
∗ C(πC). The upper-level solution is optimized
only over the SAT partitions.
Algorithm 4 initializes the SAT and UNSAT partitions as empty sets and the UNDET partition as {Π}
(line 1). While UNDET partitions exist and the number of all partitions is less than or equal to Nmax (line
2), the algorithm selects a partition Πcurr from a set of UNDET partitions using the deqeue functio

(line 3). We classify the partition Πcurr as a SAT partition, i.e., isSATPartition(·) = ⊤, if the value of the
objective function for the following optimization problem is larger than or equal to ρ
∗
:
min
π∈Πcurr,(ξM,k)
ρ
′
k

ϕC(πC), M(πM)

s.t. Ck

ϕC(πC), M(πM)

\ (ρ
′
k

ϕC(πC), M(πM)

≥ ρ
∗
) and Ck

ϕA(πC), M(πM)

.
If ρ
′
k

ϕC(πC), M(πM)

≥ ρ
∗
, then any set of parameter values within Πcurr is a robust set of parameter
values and it is classified as a SAT partition (line 4-5).
The partition Πcurr is classified as an UNSAT partition, i.e., isUNSATPartition(·) = ⊤ if the value of
the objective function for the following optimization problem is smaller than ρ
∗
:
max
π∈Πcurr,(ξM,k)
ρ
′
k

ϕC(πC), M(πM)

s.t. Ck

ϕC(πC), M(πM)

\ (ρ
′
k

ϕC(πC), M(πM)

≥ ρ
∗
) and Ck

ϕA(πC), M(πM)

.
If ρ
′
k

ϕC(πC), M(πM)

< ρ∗
, no set of parameter values within Πcurr is a robust set of parameter values
and Πcurr is classified as an UNSAT partition (line 6-7).
If the partition Πcurr is neither SAT nor UNSAT partition, Πcurr is classified as an UNDET partition
and is further partitioned into smaller partitions using the paramSpacePartition(·) function (line 8-9).
Any partitioning scheme can be used in Algorithm 4. We implement the greatest uncertainty split which
halves the range of each dimension, partitioning any n-dimension partition into 2
n partitions. Lastly, a
set of optimal parameter values is selected and the corresponding cost is computed for each SAT partition
(line 10-13). The set of optimal parameter values π
∗ with the least cost rmin is returned as a solution (line
14).
Problem 4.4. Given C1 = (ϕA1, ϕG1) and C2(πC) = (ϕA2(πC), ϕG2(πC)), the parameter
synthesis under refinement problem can be solved using Algorithm 4 with the contract C⪯(πC)

1
+

≼
≼
++1
⨂
⋯

⨂
⨂

≼
∗
≼
∗

+ +
++
⨂
⋯

⨂

∧
≼

∗

+ +
++

Figure 4.4: Design examined in the case studies, including a multi-sensor perception system Mper with N fixed
sensors and L unknown sensors, and an ACC system Macc with safety and comfort requirements.
(ϕ⪯A
(πC), ϕ⪯G
(πC)), whose assumptions and guarantees are defined as ϕ⪯A
(πC) := (ϕA1 → ϕA2(πC))∧
ϕA1 and ϕ⪯G
(πC) := (ϕC2(πC) → ϕC1) ∧ ϕC2(πC), respectively.
4.7 Case Studies
We implemented our approach in the Python Contract-based Analysis for Stochastic System Exploration
(PyCASSE)
∗
library, and evaluated its effectiveness on the vehicle design scenario in Figure 4.4 by executing
our experiments on an Intel core i7 processor with 16-GB RAM. The ego vehicle M, i.e., the system under
control with its requirements specified in a top-level contract C, consists of a multi-sensor perception and
an ACC components Mper and Macc, specified by contracts Cper and Cacc, respectively. The multi-sensor
perception system Mper, specified in a contract Cper, consists of multiple sensors Mi
, i = 1, · · · , N + L,
and a data fusion module MN+L+1 specified by Ci
, i = 1, · · · , N + L and CN+L+1, respectively. Its
correctness can be checked by showing that NN+L+1
i=1 Ci ⪯ρ
∗ Cper and Mi
|=ρ
∗ Ci
, i = 1, . . . , N +L+ 1.
The ACC system Macc must satisfy both the safety and comfort contracts Csafe and Ccomf , respectively,
which can be checked by showing that Macc |=ρ
∗ Csafe and Macc |=ρ
∗ Ccomf .
In this scenario, we focus on two case studies in Figure 4.4. In the first case study, we design a multisensor perception system Mper consisting of sensors with different noise levels. We synthesize the sensor
∗
https://github.com/descyphy/pycasse
74

and the requirement parameters such that refinement NN+L+1
i=1 Ci ⪯ρ
∗ Cper holds, while varying the
number of sensors, N and L. In the second case study, we explore the safety and comfort requirements
Csafe and Ccomf for the ACC system which regulates the ego vehicle’s speed, based on the sensor measurements of the distance and velocity of the ego and the leading vehicles. We model the multi-sensor
perception and ACC systems using the variables:
• xe, xl
: location of the ego and the leading vehicle;
• ve, vl
: velocity of the ego and the leading vehicle;
• d = xl − xe, v = vl − ve: relative distance and velocity between the ego and the leading vehicles;
• ae, al
: acceleration of the ego and the leading vehicle.
We denote the values of these variables at time step k with the subscript k, e.g., the relative velocity v
between the ego and the leading vehicles at time step k is denoted by vk.
4.7.1 Multi-Sensor Perception System
The multi-sensor perception system has N specified sensors and L unspecified sensors captured by parametric stochastic contracts. In this case study, we aim to search for inexpensive sensors that can be affected
by noise, i.e., large standard deviations σj within the [0.2, 2] range, while still guaranteeing with probability (confidence) pj in [0.8, 1] that the sensor error lies in the [−1, 1] interval, where j = 1, · · · , L. The
system Mper has its contract Cper = (G[0,10](d ≤ 250), G[0,10](|nd| − 1)[0.99]), which expresses the
requirement that, if the distance d is always less than or equal to 250 m, the absolute value of the distance
sensor noise nd is always less than or equal to 1 with probability larger than or equal to 0.99. Let the
dynamics of the specified sensors be zi,k = dk + nd,i,k for i = 1, · · · , N, where nd,i,k ∼ N (0, 0.5
2
).
According to the cost function J = −
PM
j=1(σN+j + pN+j ), aiming to maximize the standard deviations
σj and probabilities pj , j = 1, · · · , L, we determine the set of optimal parameter values for the unspecified
75

# of
Specified
Sensors, N
# of Unspecified
Sensors, L
(Parameters, 2L)
Execution Time [s]
# of Maximum Partitions, Nmax
10 100 200 500 1,000
1 1 (2) 0.75 5.61 7.12 16.18 34.01
10 1 (2) 0.90 6.49 14.11 42.40 75.80
50 1 (2) 2.69 20.09 37.47 105.03 246.93
100 1 (2) 4.76 44.66 78.81 208.23 402.82
200 1 (2) 14.94 112.68 271.54 506.17 1,024.74
100 2 (4) *1.75 33.60 72.40 183.98 365.81
100 3 (6) *1.52 *36.81 83.33 191.79 406.42
100 4 (8) *0.69 *0.75 *0.68 *144.92 384.57
Table 4.1: Execution time of parametric refinement for the multi-sensor perception system. When the optimal
parameters could not be found before reaching the maximum number of partitions, the execution time is marked
with ∗.
sensors with dynamics zN+j,k = dk + nd,N+j,k where nd,N+j,k ∼ N (0, σ2
N+j
), and the corresponding
contracts CN+j , j = 1, · · · , L.
We define the contracts for the specified and unspecified sensors and the data fusion module as follows:
Ci =

G[0,10](d ≤ 300), G[0,10] (|nd,i| − 2)[0.95]
i = 1, 2, · · · , N,
CN+j (p) =
G[0,10](d ≤ 250), G[0,10] (|nd,N+j | − 1)[p]

j = 1, 2, · · · , L,
CN+L+1 =

⊤, G[0,10]
nd =
N
X
+L
i=1
nd,i
N + L
!! .
We first assume that there exists only one unspecified sensor, i.e., L = 1, and find the optimal set
of parameters (pN+1, σN+1) for the unspecified sensor such that the composition of the componentlevel contracts robustly refines the system-level contract, i.e., NN
i=1 Ci ⊗ CN+1 ⊗ CN+2 ⪯ρ
∗ Cper and
MN+1(σN+1) |=ρ
∗ C(pN+1). Figure 4.5 illustrates the parameter synthesis results. All the parameter values in the green boxes (SAT partitions) guarantee that the robust refinement holds. The red boxes indicate
UNSAT partitions and the grey boxes indicate UNDET partitions. We report the results for a system made
of one (left), 2 (center), and 3 (right) specified sensors, respectively, and one unspecified sensor. The result
76

suggests that an accurate, but possibly expensive, sensor has to be chosen to satisfy the system requirements in C when only one specified sensor is available. As the number of available high-quality sensors
increases, we can choose a cheaper sensor MN+1 with a large standard deviation σN+1 for its error.
Algorithm 4 requires at most 2Nmax MILPs or MIQCPs iterations to find the optimal parameter values.
In this case study, MIQCPs are solved since the σN+j parameters lead to quadratic constraints. Table 4.1
reports the execution times of PyCASSE for multiple combinations of specified and unspecified sensors and
Nmax. While the execution time for solving each MIQCP problem depends on the number of parameters
and sensors, the results in Table 4.1 demonstrate that the execution time scales linearly as Nmax increases.
We also observe that, as the number of parameters increases, finer partitions are required, hence a higher
Nmax, to determine whether a box is SAT or UNSAT.
4.7.2 Adaptive Cruise Control
The adaptive cruise control (ACC) system controls the ego vehicle to keep it as close as possible to a target
distance dtarget = dsafe+τve, while adapting to the leading vehicle’s behavior. dsafe is the pre-determined
safe distance and τ is the time gap. Several parts of such system are intrinsically of stochastic nature, e.g.,
the noise of the sensors detecting the distance and velocity, and the behavior of the leading vehicle. In
this case study, we illustrate the parameter synthesis process on an ACC system whose safety and comfort
requirements are specified by two parametric stochastic contracts.
The dynamics of the ACC system is given by the state-space representation in (4.10) with:
A =












1 ∆t 0 0
0 1 0 0
0 0 1 ∆t
0 0 0 1












, B =












0
∆t
0
0












, C =








−1 0 1 0
0 −1 0 1
0 1 0 0








, (4.15)
77

where ∆t is the size of each time step, xk = [xe,k, ve,k, xl,k, vl,k]
T
is the state vector, uk = [ae,k] is the control input, zk = [ ˆdk, vˆk, vˆe,k]
T
is the measurement vector modeling the sensor readings of dk, vk, and ve,k.
wk = [0, 0, 0, al,k]
T ∼ N (0, Q) is the process input modeling the behavior of the leading vehicle where
V ar[al,k] = (∆tσal
)
2
is the variance of the leading vehicle’s acceleration; vk = [nd,k, nv,k, nve,k]
T ∼
N (0, R) is the measurement noise where V ar[nd,k] = V ar[nv,k] = 12
and V ar[nve,k] = 0.5
2
for time
step k. We assume that nd,k, nv,k, and nve,k are independent and identically distributed (i.i.d.). Finally,
the ACC control policy [29, Figure 5] is given by uk = Dzk + E where D =

KI KP −τKI

and
E =

−dsafeKI

. Larger σ
2
al
indicates more aggressive acceleration and deceleration of the leading vehicle. On the other hand, large values of KP and KI produce more aggressive acceleration and deceleration
for the ego vehicle.
In this case study, we search for the sets of optimal parameter values πsafe = (cs, ps) and
πcomf = (cc, pc) for two requirements expressed as the parametric stochastic contracts Csafe(πsafe) and
Ccomf (πcomf ). Csafe requires that the probability of maintaining the distance d larger than or equal to
cs is greater than or equal to ps when the initial distance is greater than or equal to dtarget and the initial
relative velocity between the ego and the leading vehicle is smaller than or equal to 5 m/s. We define the
safety contract as Csafe = (ϕA,safe, ϕG,safe) where ϕA,safe := (d ≥ dtarget) ∧ (|v| ≤ 5) and ϕG,safe :=
G[0,20](cs − d)
[ps]
. On the other hand, Ccomf requires that the acceleration of the ego vehicle be larger
than or equal to cc m/s2 with a probability larger than or equal to pc, to avoid abrupt decelerations [9]
under the same assumptions as Csafe. We define the comfort contract as Ccomf = (ϕA,safe, ϕG,comf )
where ϕG,comf := G[0,20](cc − ae)
[pc]
.
Our goal is to find a set of optimal parameters such that Macc |=ρ
∗ Csafe(cs, ps) and Macc |=ρ
∗
Ccomf (cc, pc) (Problem 4.3). We assume that ∆t = 0.5 s, σ
2
al = 0.5, KP = KI = 0.5, dsafe = 10 m,
τ = 1.6 s, J(cs, ps) = −100ps − cs, and J(cc, pc) = −100pc − cc to maximize the probabilities of robust
78

Approaches Requirements Csafe Ccomf
Our Approach Execution Time [s] 433.76078 444.94791
Violation Probability 0.00625 0.00625
105
Simulations Execution Time [s] 263.18550 201.91763
Violation Probability 0.00819 0.00546
Table 4.2: Results from our approach and 105
simulation runs.
satisfaction while guaranteeing safety and comfort of the ACC. The larger cs, the safer the ACC becomes;
the larger cc, the more comfortable the ride becomes for the passengers.
As shown in Figure 4.6, Algorithm 4 provides the optimal parameter sets (c
∗
s
, p∗
s
) = (5.625, 0.99375)
and (c
∗
c
, p∗
c
) = (−7.5, 0.99375). To validate the result, we ran 105
simulations in Matlab under a
pre-determined initial state that satisfies the assumptions specification ϕA,safe, i.e., xe = 0 m, ve =
0 m/s, xl = 50 m, and vl = 0 m/s. In Table 4.2, the rate of violation of the constraint d ≥ c
∗
s = 5.625 m
in simulations is approximately equal to 1 − p
∗
s = 0.00625. The rate of violation of the constraint
ae ≥ c
∗
c = −7.5 is smaller than 1 − p
∗
c = 0.00625. Solving the parameter synthesis problem takes longer
time than executing 105
simulation runs for estimating the probability of violating Csafe and Ccomf . However, PyCASSE performs exhaustive search over a range of the parameter design space and initial conditions. On the other hand, simulations are only limited to the evaluation of the requirements in a particular
case, with fixed parameter values and initial state.
4.8 Chapter Summary
We presented an automated framework for quantitative verification and design space exploration of CPSs
under uncertainty, leveraging the robust semantics of stochastic A/G contracts expressed in StSTL. We illustrated the effectiveness of our approach on the design and verification of a multi-sensor perception system and an ACC system. Future work includes the extension of the proposed framework to non-Gaussian
79

processes and the investigation of adaptive partition mechanisms guided by robustness estimates to improve the scalability of our algorithms.
80

0.800 0.825 0.850 0.875 0.900 0.925 0.950 0.975 1.000
p
0.2
0.4
0.6
0.8
1.0
1.2
1.4
1.6
1.8
2.0
0.800 0.825 0.850 0.875 0.900 0.925 0.950 0.975 1.000
p
0.2
0.4
0.6
0.8
1.0
1.2
1.4
1.6
1.8
2.0
0.800 0.825 0.850 0.875 0.900 0.925 0.950 0.975 1.000
p
0.2
0.4
0.6
0.8
1.0
1.2
1.4
1.6
1.8
2.0
Figure 4.5: Results for the parameter synthesis problem under refinement NN
i=1 Ci ⊗ CN+1 (p) ⊗ CN+2 ⪯ C with
Nmax = 200. Each figure reports on the horizontal axis the confidence level p of the unspecified sensor, and the
standard deviation of the noise σ of the unspecified sensor on the vertical axis.
81

0.90 0.92 0.94 0.96 0.98 1.00
ps
0
2
4
6
8
10
cs
0.90 0.92 0.94 0.96 0.98 1.00
pc
30
25
20
15
10
5
0
cc
Figure 4.6: Parameter synthesis results for Csaf e (left) and Ccomf (right).
82

Chapter 5
Stochastic Contracts for Assurance of Cyber-Physical Systems
This chapter introduces an automated, end-to-end framework to address the challenges of constructing
and validating assurance cases (ACs) arguing the safety, security, and functional correctness of modern
mission-critical cyber-physical systems (CPSs). Building on the concept of stochastic contracts introduced
in Chapter 3, we formalize the claims within ACs as stochastic contracts. The framework presents an efficient synthesis algorithm that generates AC candidates using a pattern library and a validation algorithm
that applies logic and probabilistic reasoning to identify the most persuasive arguments through Bayesian
reasoning.
5.1 Introduction
Assurance about certain properties of mission-critical systems, such as safety, security, and functional
correctness, is essential throughout the product development lifecycle. Certification standards (e.g., DO178C in the aerospace industry) tend to be prescriptive in nature, enforcing a rigid, often costly, evaluation
process. Assurance evaluation is currently performed mostly manually, and due to the substantial amount
of evidence that needs to be examined, can lead to incomplete or biased assessments.
The trend in research is shifting from a prescriptive certification process to argument-based certification (e.g., based on overarching properties (OPs) [72]), which offers more flexibility to certify emerging
83

technologies, including systems enabled by artificial intelligence (AI). However, this approach expands
the scope of the evidence evaluation process, beyond checking the sufficiency of evidence, to validating
whether the proposed system development activities and outcomes are appropriate to establish safety, security, or standard compliance for a given application. In this context, automated methods and tools that
support the creation, maintenance, and evaluation of arguments are deemed as necessary for a streamlined
assurance process.
Assurance cases (ACs) are explicit arguments that desired properties have been adequately established
for a given system. ACs are typically created manually and, at present, are mostly used to document the
argumentation structure. There is a lack of consensus on a systematic approach for creating and validating
ACs. Tools for AC visualization and manipulation exist, but notations are often not completely defined,
leaving room for interpretation and misunderstanding [121]. For example, the Goal Structuring Notation
(GSN) specifies the visual syntax and semantics of its elements, such as goals, strategies, justifications, and
solutions. However, the standard [65] primarily relies on natural language for expressing claims, which
can be ambiguous and open to misinterpretation. Formalisms and tools that can assist in the creation of
rigorous and interpretable arguments are limited to only a few attempts [69, 120, 19].
This chapter addresses some of the challenges in constructing and validating ACs, including (a) the
complexity of modern safety and security-critical systems, (b) the heterogeneous nature of the evidence,
and (c) the need to assess the argument quality, i.e., quantify the persuasiveness of the argument given the
sources of doubt. We present an automated, end-to-end framework that synthesizes and validates ACs. The
framework includes (i) an efficient synthesis algorithm that automatically creates AC candidates using a
pattern library of pre-order relations linking claims with their supporting (sub)-claims and (ii) a validation
algorithm that uses logic and probabilistic reasoning to effectively identify a set of logically valid and most
persuasive AC candidates. The framework also includes a visualization tool for traversing the generated
ACs in multiple formats at different levels of the argument hierarchy.
84

Several tools [43, 12, 87, 3] support manual or partly automated AC creation, instantiation, management, and analysis. Approaches based on the AMASS platform [133, 134, 37, 93] use contracts for automated AC creation to enable compositionality and reuse of argumentation patterns. Beyond automated
and compositional AC generation with contracts, our framework also provides quantitative assessment of
the persuasiveness of an AC, based on design artifacts and evidence, by leveraging Bayesian reasoning [92]
to compute confidence values.
A few tools [30, 116] also support automated AC generation and confidence assessment, albeit not
within a contract-based, compositional framework. A possible limitation of existing approaches to confidence quantification stems from the fact that missing or contrary information may be “masked” by an
overall high confidence score at the top-level claim, leading to insensitivity to critical local evidence [63].
We address this issue via a compositional and hierarchical approach that combines local probabilistic reasoning with global logical reasoning to derive the confidence of the top-level claim [106]. Our assessment
algorithm, consisting of uncertainty quantification steps followed by decision-making steps, allows appropriately weighing different evidence items and early discounting of unreliable evidence with low confidence levels, thus making the overall process of propagating confidence values to the top-level claim and
determining their sufficiency more robust to inaccuracies in the confidence models.
5.2 Backgrounds
5.2.1 Assurance Cases
An assurance case (AC) is an argument constructed to establish that a system satisfies the requirements
in its operative environment by means of hierarchical steps that map a claim to evidence via strategies
and intermediary claims [121, 19]. ACs are often described using a structured language [71] or graphical
notations such as the Goal Structuring Notation (GSN) [140] and the Claims-Arguments-Evidence (CAE)
85

notation [4]. An AC can then be represented as a directed acyclic graph mapping the system specification
(the top-level claim) from the root node to the leaf nodes representing the evidence.
Software tools such as AdvoCATE [43] and DS-Bench [56] can be used to specify GSN (or CAE) pattern
libraries, providing a limited degree of automation for representation and validation of ACs. However,
some semantic elements in these tools are not well-defined in their respective conventions, leaving room
for an individual developer to clarify them [121]. The argumentation steps between claims often lack rigor,
opening the door for confirmation bias [19]. We address these concerns by leveraging contract operations
to solidify the relationship between claims, allied with Bayesian reasoning to assess their strength.
5.2.2 Bayesian Networks
Bayesian networks (BNs) have been successfully used to incorporate subjective notions of probability or
belief and quantitatively reason about the confidence in assertions affected by uncertainty [74, 92, 70].
BNs can encompass aleatoric and epistemic uncertainty and tend to produce more compact models in the
number of parameters than other probabilistic reasoning frameworks for uncertainty quantification [143].
We first introduce basic notions from probability theory and build on these to define a BN. A probability
space is a triple (Ω, F, P) where Ω is a set of outcomes, F is a set of events, and P : F → [0, 1] is a measure
that assigns probabilities to events [92]. A random variable (RV) X : Ω → R is a function assigning a real
number to each outcome in Ω. A probability distribution of a RV X is a probability measure P(X ∈ A)
defined on all subsets A of the real line [18]. Given two RVs X and Y , we denote by P(X = x, Y = y) the
joint probability distribution and by P(X = x|Y = y) the conditional probability distribution of an event
(X = x) ∈ F given another event (Y = y) ∈ F. Given the joint probability distribution of the RVs X
and Y , the conditional probability distribution can be calculated via the formula: P(X = x|Y = y) =
P(X = x, Y = y)/P(Y = y). Two RVs are conditionally independent, if they are independent of each
other given a third RV, i.e., P(X = x, Y = y|Z = z) = P(X = x|Z = z)P(Y = y|Z = z).
86

Let P be the joint probability distribution of a set of Boolean random variables V and G = (V, E)
be a directed acyclic graph where the elements of V are the nodes and E is a set of directed edges. We
define (G, P) as a BN if (G, P) satisfies the Markov condition [92], i.e., if for each variable X ∈ V, X is
conditionally independent of the set of all its non-descendants given the set of all its parents πX. Given
the values of Xi
’s parents πXi
, joint probability distributions for a set of values for each discrete RV, X1 =
x1, X2 = x2, ..., Xn = xn can be calculated using the chain-of-conditionals formula [92, Theorem 1.4].
P(xn, xn−1, ..., x1) = P(xn|πn)· · · P(x1|π1). (5.1)
5.2.3 Confirmation Measures
In the context of ACs, it is desirable to assess the extent to which the available evidence supports each
reasoning step. Confirmation measures offer an avenue to express the relative strength of an argument
compared to a naïve baseline [19]. A “confirmation measure” is generally taken to be a function of the
probability of the hypothesis (P r(H)) and the probability of the hypothesis given the evidence of interest (P r(H | e)). While not formally defined in the literature, we consider confirmation measures to be
functions that satisfy the following three properties [139].
For a confirmation measure CM(·):
1. The confirmation measure should be a function of only P r(H) and P r(H | e), i.e.
CM(P r(H), P r(H | e))
2. For a fixed P r(H), CM(·) should be an increasing function of P r(H | e).
3. For a fixed P r(H | e), CM(·) should be a decreasing function of P r(H).
For example, the measure introduced in [150] is simply this difference as shown in (5.2).
Good(H, e) = P(H | e) − P(H) (5.2)
87

It has been argued that humans are more naturally inclined to confirmation measures rather than raw
probabilities and that such comparative measures are well-suited to establishing assurance arguments [8,
19].
5.3 An Overview of AACE: Automatic Assurance Case Environment
As shown in Figure 5.1, our framework, denoted as AACE, automatically generates and validates ACs given
a top-level goal from a pattern library, the evidence database, and the system specification. We refer to
the synthesis and validation processes collectively as generation. Validation itself coordinates logic and
probabilistic reasoning to select valid AC candidates and assess their confidence level.
AC patterns are reusable AC templates that can be instantiated using system specific information to
construct larger ACs. The patterns capture, in the form of generic argumentation steps, domain knowledge about what evidence is required to achieve specific goals. We employ hierarchical contract networks
(HCNs) to formalize AC patterns and use Resolute [57] as the underlying language for their specification.
Uncertainty in assertions is instead modeled using Bayesian networks (BNs). Given a top-level claim from
the pattern library and a system under evaluation, the synthesis algorithm automatically selects and instantiates the patterns and assembles the instantiated patterns together into an HCN that represents a set
of AC candidates.
We denote by evidence a set of objective facts collected, for example, via tests, analyses, or proofs, that
can be used in support of, or against, a claim. The evidence is maintained according to an evidence ontology in a database that is accessible by the AC generation framework. The availability of evidence could
be considered by the synthesis algorithm for selecting certain AC candidates early. However, our framework also targets an assurance-driven development process with objectives (e.g., cost and development
time) taken into account during certain stages of the product lifecycle. Particularly, in the early stages
of product development, when the system design is incomplete, we are interested in exploring the set of
88

AC Patterns
AC Synthesis
Synthesis of all logically valid ACs
System
specifications
AC
Candidates
Satisfiability Modulo
Theories (SMT) Solver
Satisfiability
problem
Evidence Library
AC Selection
Selection of ACs with the highest
valuation metric
AC Assessment
Confidence assessment of each AC
Confidence Inference
Engine
Risk & Infeasibility
Certificate
ACs with
confidence values
Sat/Unsat Confidence Network
Set of Evidence
Confidence
Value
Candidates
Selected AC Top-level
Goal
AC Generation
Argumentation Patterns Confidence Patterns
Evaluation Tool Figure 5.1: Overview of the AC generation framework with a summary of output candidates.
89

all potential evidence items and assurance arguments, to analyze cost and benefit trade-offs. The validation algorithm selects the AC candidates with the lowest number of missing supporting evidence. The
selected ACs undergo confidence level quantification, which assesses the ACs’ persuasiveness. Finally, our
framework returns a set of valid ACs and their confidence scores, ensuring that the most convincing and
well-supported ACs are presented to system designers and certification authorities.
Overall, by leveraging our previous results on generic HCN synthesis [145] and AC validation [106],
our framework supports the first end-to-end automated methodology that seamlessly integrates contractbased synthesis and validation of ACs, and makes it accessible, via intuitive user interfaces, to system
designers and certification authorities.
5.4 AC Pattern Formalization
We formalize an AC pattern as a pair consisting of an HCN (assurance pattern) and a set of BNs (confidence
patterns).
5.4.1 Hierarchical Contract Networks
An argumentation step involving a concatenation of claims (or contracts) can be represented as interconnected contracts, termed contract network (CN). Stepwise refinements of higher-level claims into lowerlevel claims can then be captured by a tree of contract networks, that is, a hierarchical contract network
(HCN) using contract refinement [145, 106]. We introduce formal definitions of a contract as a claim, a CN
as a collection of claims, and an HCN as an argument, along with conditional refinement relationship that
connects a contract with a CN.
90

A:
G:

0 ≔ ∧
↔ ()
0

A:
G:

A:
G:

⨂
Composition
Operator
Contract
Contract Network
Conditional
≼
Refinement
0
(a) HCN (assurance pattern)
()
()
()
()
()
()
()
()
() ()
() ()
()
Testing Pattern Instantiation 1 Testing Pattern Instantiation 2
(b) BN (confidence pattern)
Figure 5.2: AC pattern for P2 in Figure 5.5.
5.4.2 Stochastic Propositional Logic
We use stochastic propositional logic (StPL) [106], an extension of propositional logic which builds on previous notions of unification between logic and probability [58, 67, 94].
Let ϕ be a propositional formula over X , constructed by combining the Boolean RVs via logical connectives, e.g., X1 → (X2 ∧ X3). We define a probabilistic atomic predicate (AP) of the form ϕ
[p]
:= P(ϕ) ≥ p,
where p ∈ [0, 1] is a probability threshold. The truth value of ϕ
[p]
is interpreted based on the satisfaction
of the probabilistic constraint, i.e., ϕ
[p] = ⊤ (true) if and only if ϕ = ⊤ holds with probability larger than
91

or equal to p. The syntax of StPL is then defined as follows: ψ := ϕ
[p]
| ¬ψ | ψ1 ∨ ψ2, where ψ, ψ1, ψ2 are
StPL formulas. The semantics are defined recursively as: X |= ϕ
[p] ↔ P(ϕ) ≥ p, X |= ¬ψ ↔ ¬(X |= ψ),
and X |= ψ1 ∨ ψ2 ↔ (X |= ψ1) ∨ (X |= ψ2).
We express the assumptions and guarantees of a contract using StPL formulas to specify probabilistic
behaviors over X and reason about properties of the form “test coverage is achieved with confidence larger
than or equal to 0.9.” We denote the resulting contracts and HCNs by stochastic contracts and Hierarchical
Stochastic Contract Networks (HSCN), respectively. The main contract operators can then be mapped to
logical operations and entailment between formulas.
5.5 Confidence Networks
Automating AC validation and assessment are daunting tasks, given the need to create and validate confidence models that can effectively account for the various sources of uncertainty and available evidence. To
address this challenge, we propose the use of a library of confidence network patterns, which can represent and reason about the heterogeneous sources of uncertainty involved in an argumentation step using
evidence items from testing and formal method activities. By utilizing these patterns, we can address the
complexity of the uncertainty present in ACs and provide a more comprehensive assessment of the confidence level of the argument. Moreover, these patterns allow us to achieve a more accurate and nuanced
assessment of the confidence level of the argument.
Our framework provides automation for (a) the systematic quantification of confidence values in evidential claims of an AC, enabling a more accurate and reliable assessment of the argument’s strength; (b)
the reuse of the vetted confidence patterns in different ACs, providing a scalable and efficient means of
automating the validation and assessment of assurance cases; and (c) the examinations of the desired properties of confidence patterns, ensuring that they meet the necessary criteria for the use of these patterns
in the AC. We advocate confidence patterns based on BNs.
92

1
1

0.5 0.5

1−
1−
0.5 0.5
0.5 0.5

1

0.5 0.5

1 …
… 1−
… 0.1 0.9
⋮ ⋮ ⋮ ⋮ ⋮

… 1 …

0.5 0.5

0.5 0.5

1−
0.1 0.9
0.1 0.9
0.01 0.99

1 …
… 1−
⋮ ⋮ ⋮ ⋮
, , ≅ 1
Confidence Model Template For Testing
Figure 5.3: Confidence pattern for testing
5.5.0.1 Confidence Pattern Templates
We first present the confidence pattern for testing as shown in Figure 5.3. The confidence pattern encapsulates the notions from testing to express the key correlations between the outcome of a test and the
quality of the artifacts (e.g., test procedure, test oracle) produced during the software development and
testing steps.
This pattern enables us to compute the confidence in a conclusion, such as the software being secure
against a specific Common Weakness Enumeration (CWE), based on test results and beliefs in the quality
of testing. The confidence in the overall testing quality (soundT est) is determined by considering the
beliefs in the quality of the testing procedure (soundP rocedure) and the testing oracle (soundOracle).
These beliefs are influenced by the uncertainty surrounding the assumptions underlying the testing procedure (procAssumptionsi
, ∀i ∈ [1, NpA]) and the assumptions that can either support or undermine the
93

1
1

0.5 0.5

1−
1−
0.5 0.5
0.5 0.5

…

0.5 0.5

0.5 0.5

1 −
0.1 0.9
0.1 0.9
0.01 0.99

1 …
… 1−
⋮ ⋮ ⋮ ⋮
, , ≅ 1
Confidence Model Template For Formal Method
Figure 5.4: Confidence pattern for formal method
soundness of the testing oracle (oracleAssumptionsi
, ∀i ∈ [1, NoA]), as well as the correctness of the
software specification (correctSpec).
Note that α and β on the conditional probability distribution table of the conclusion conclusion in
Figure 5.3 are aleatoric probability values that model the uncertainty intrinsic to the relationships among
the conclusion conclusion, the soundness of the testing soundT est, and the testing result testResult.
On the other hand, psT , psP , and psO on the conditional probability distribution table of soundT est,
soundP rocedure and soundOracle in Figure 5.3 are epistemic probability values that model the incomplete knowledge on the relationships among the soundness of the testing soundT est, the testing
procedure soundP rocedure, the testing oracle soundOracle, and the confidence in their premises, e.g.,
procAssumption1.
Likewise, we present the confidence pattern for formal method as shown in Figure 5.4. The pattern
enables us to compute the confidence in a conclusion based on formal method results (FMResult) and
beliefs in the quality of the performed formal method (soundFM). The confidence in the overall formal
method quality (soundFM) is determined by considering the beliefs in the quality of the formal method
94

procedure (soundP rocedure) and the correctness of the software specification (correctSpec). The belief
in the formal method procedure is influenced by the uncertainty surrounding the assumptions underlying
the formal method procedure (procAssumptionsi
, ∀i ∈ [1, NpA]). Similarly to the confidence model for
testing, approximations can be obtained for the confidence values of the conclusion node c in Figure 5.4.
5.5.0.2 Applying Pearl’s Method for Confidence Computation
Assuming that we have a set of evidence items given as an evidence library, we now employ Pearl’s method
of virtual evidence[110] to compute confidence values for claims using a BN. In our approach, we consider
two types of evidence: hard and virtual evidence, but not soft evidence [14]. Hard evidence refers to observations of a random variable with certainty, where a particular value is observed, e.g., X1 = ⊤ or
P(X1 = ⊤) = 1. Note that X1 = ⊤ and P(X1 = ⊤) = 1 have two different meanings in probability
theory. However, we use both terms interchangeably with the abuse of notation. Virtual evidence corresponds to observations of a random variable with uncertainty, often represented by likelihood ratios (e.g.,
P(η|X1 = ⊤) : P(η|X1 = ⊥) = 9 : 1), where η represents the virtual event. Soft evidence denotes observations of uncertainty on a random variable, usually represented by probabilities (e.g., P(X1 = ⊤) = 0.9
and P(X1 = ⊥) = 0.1). For a detailed comparison between hard, virtual, and soft evidence, we refer the
readers to [14].
We have chosen to implement Pearl’s method of virtual evidence to compute confidence values for claims
in our framework because the evidence items in our evidence library are primarily virtual and often hard
evidence. The evidence provided for ACs mostly consists of virtual evidence, as they serve as indirect
indications, with uncertainty, of the functional correctness and security of the software system. While
some evidence items are hard evidence (e.g., the source code being written in C++), most of the evidence
items are not soft evidence. This is because the uncertainty associated with a claim cannot always be
precisely quantified (e.g., we may have 99% confidence on the claim “The oracle correctly measures the
95

decision coverage (DC) of a software system given a set of test cases” but not 100%, unless the claim is
of purely statistical nature (e.g., P(Heads on a coin flip) = 0.5). It is possible to transform evidence with
uncertainty into hard evidence on virtual events [31]. This transformation enables the computation of
confidence values P(X2 = ⊤) given the virtual event η (or a set of virtual events) by using the posterior
probability P(X2 = ⊤|η) in the augmented BN [14].
We propose the following procedure to compute a confidence value on a claim given a BN and an
evidence library.
• Augment the BN with the virtual evidence nodes: Add a node corresponding to a virtual event
η (an item of evidence) for each item of evidence in the evidence library, if there exists a claim (or
a node) X1 which can be supported (or contradicted) by this item of evidence. Then, add a directed
edge (X1, η) from X1 to η. We only need to add this edge because the Pearl’s method assumes that
the virtual event η depends only on variable X1 and is independent of any other nodes in the BN
given X1 [142, Equation A.6]. The conditional probability table associated with the virtual node η
can be acquired from the likelihood ratio, e.g., P{η | X1 = ⊤} : P{η | X1 = ⊥} = λ⊤ : λ⊥ [142,
Equation A.5].
• Confidence computation: Compute the posterior confidence value P{X2 | η1, η2, . . .} of a claim
(or a node) X2 given an evidence library. For example, the posterior confidence value on the claim
X2 given an evidence library with virtual events {η1, η2, η3} can be acquired by computing P{X2 |
η1, η2, η3} [142, Equation A.7].
Example 5.1 Assume an AC pattern library that partially addresses the correctness goal, shown in Figure 5.5.
P1 argues that test cases are sufficient for demonstrating system correctness if the tests exercise all requirements
r and cover the entire source code s. P2 argues that a set of tests cover the entire source code based on documented coverage metrics. P3 argues that requirements are covered by a set of test cases if the tests cover the
96

A:
G: ,

3 ≔
(, ) ∧
(, ) ∧
(, )
↔ (, )
3

A:
G: ,

A:
G: ,

A:
G: ,

⨂
A:
G:

2 ≔
∧
↔ ()
2

A:
G:

A:
G:

⨂
A:
G: ,

0,1
1 ≔
∧
,
↔ (, )

A:
G:

A:
G: ,

⨂
1
1 2 3
Figure 5.5: AC pattern library used in the running example. Claims are represented as a contract C.
normal and robust ranges of requirements. The BN in Figure 5.2b models a confidence pattern expressing the
key correlations between the outcome of a coverage test and the quality of the artifacts (e.g., source code, test
oracle) produced during software development and testing. The BN in Figure 5.2b can be associated to pattern
P2 in Figure 5.5.
5.6 AC Synthesis
The proposed synthesis procedure of AC candidates, which leverages the algorithm first introduced for
generic HCNs [145], is summarized in Algorithm 5. Given a contract network containing a set of toplevel goals N0, an AC pattern library L, and a set of formulas specifying the context of the system I, the
synthesis algorithm automatically generates a set of AC candidates H in terms of a set of instantiated
contract networks N˜ and a set of instantiated refinements R˜ . An AC candidate H′ = (N˜
0, N˜′
, R˜′) ∈ H
consists of the top-level contract network N˜
0 ∈ N˜ , a set of instantiated contract networks N˜′ ⊆ N˜ , and a
set of instantiated CRs R˜′ ⊆ R˜
97

In line 12, the top-level claims (or contracts) in a contract network N0 are instantiated with the system
and its contexts under evaluation I using the function instantiate. The main function of Algorithm 5 is
executed in line 13. For each instantiated contract C˜ of N˜, the algorithm searches the AC pattern library
L for the argumentation patterns (conditional refinement relationships) that can support the contract C˜
(line 4). We use the function findRefinements for finding such argumentation patterns, i.e., a set of CRs
R. Any contracts that are not refined by any other contract networks in the library are either evidential,
indicating that they can only be established by evidence from the lifecycle activities, e.g., requirements
review, test results, code reviews, formal methods, or are undeveloped claims.
In line 6, the contract networks from the returned refinements are also instantiated with the system
under evaluation. After instantiation, the validity of potential refinements is determined by converting
the contract property checking (consistency, compatibility, and refinement) problems into satisfiability
problems that are passed to a satisfiability modulo theory (SMT) solver, i.e., by executing the function
checkContractProps (line 7). The function checks that a refinement holds with respect to the system
contexts, which are configurations, properties, and operating contexts of the system, encoded as assertions,
e.g., “the software component targets the highest safety integrity level,” “the wireless communication in
component A is disabled.” If the validity of the potential CR is established, then the instantiated refinement
R˜
k is added to the set of instantiated refinements R˜ (line 10).
The procedure is recursive, i.e., it starts again with each contract network N˜
k and terminates when all
the leaf contracts are either evidential or undeveloped (line 8). Since a contract could be linked to more
than one contract network, the outputs of the algorithm, a hierarchy of contracts, are sets of instantiated
contract networks N˜ and CRs R˜ that can be connected to create one or more AC candidates. All the AC
candidates connects the instantiated top-level claim N˜
0 to evidential claims through multiple argumentation steps. An example output AC candidate is shown in Figure 5.6.
98

Algorithm 5: synthesis(L, N0, I)
input : A contract network containing top goals N0; an assurance case library L; a set of system
contexts I
output: Termination and AC candidates H
1 Function synthMain(N˜, L, I):
2 N˜ ← {N˜} and R˜ ← ∅
3 for C˜ ∈ N˜ do
4 R ← findRefinements(C, ˜ L)
5 for Rk = (C, φ ˜
k, Nk) ∈ R do
6 N˜
k ← instantiate(Nk, I)
7 if checkContractProps(C, φ ˜
k, N˜
k) then
8 N˜
tmp, R˜
tmp ← synthMain(N˜
k,L, I)
9 N˜ ← N˜ ∪ N˜
tmp
10 R˜ ← R˜ ∪ R˜
tmp ∪ {R˜
k}
11 end
12 end
13 end
14 return N˜ , R˜
15 N˜
0 ← instantiate(N0, I)
16 N˜ , R˜ ← synthMain(N˜
0,L, I)
17 return N˜ , R˜
Among the AC candidates generated from AC synthesis, our selection process prioritizes candidates
that are fully supported by evidence items within the evidence library. In addition, we select a set of AC
candidates that are partially supported. For these candidates, we determine the minimum number of additional evidence items required to fully support their claims. We then proceed to assess the confidence level
associated with each selected candidate, which accounts for the uncertainty associated with the evidence.
5.7 AC Selection and Confidence Assessment
5.7.1 Selecting AC Candidates
AC validation and assessment for a realistic system can be time-consuming, particularly when dealing
with a large number of candidates (e.g., 106
), which can also require significant memory. To address this
issue, we employ a depth-first-search approach to select AC candidates according to a ranking based on
99

෩
A: ′
G:
′
,
′
෩
A: ′
G:
′
,
′
෩
A: ′
G:
′
,
′
෩
⨂
1
A: ′
G:
′
,
′
෩
෩
෩
A: ′
G: ′
෩
⨂
A: ′
G:
′
,
′
෩ 2
෩
A: ′
G: ′
෩
A: ′ G:
′
෩
⨂
3
෨0
෤1 ≔
′ ∧
′
↔ ′
෨1
෤0 ≔
′ ∧
′
,
′
↔
′
,
′
෤2 ≔

′
,
′ ∧

′
,
′ ∧

′
,
′
↔
′
,
′
෨2
Figure 5.6: Generated AC based on the AC pattern library in Figure 5.5. Dotted boxes highlight the instantiated patterns. Confidence values when all evidence items are available are shown in green, while
red values indicate confidence with missing evidence for testsExerciseRobustness(s
′
, r′
) (“Tests exercise robustness of the system s
′ with respect to the requirement r
′
”) where s
′
is the system and r
′
is the
requirement of interest.
a function f : H → R. For example, we can employ the following function to rank and select the AC
candidates:
f(H) = # of evidential contracts in H w/ no missing evidence
# of total evidential contracts in H
(5.3)
This metric, denoted as completion metric, given by (5.3) measures the percentage of evidential contracts
in H that have a complete set of evidence items, thus prioritizing AC candidates with higher completion
levels. We then compute the confidence values for these AC candidates. Note that other functions, such as
the total potential cost of evidence item generation, can be used to rank and select a set of AC candidates
with desired properties.
100

෩
෩
෩
෩
⨂ ෩
෨
0
෨
1
෨
1
෩ ෩ ෩ ෩ ෩
෨
2 ෨
3 ෨
4 ෨
5
Figure 5.7: Simplified ACs.
Algorithm 6 summarizes the procedure for selecting n or less AC candidates with the highest metric
according to the function f. Given the instantiated top-level CN N˜
0, a set of instantiated contract networks
N˜ , a set of instantiated CRs R˜ , an evidence library E, a function f, and an integer n denoting the maximum
number of selected AC candidates, the algorithm first runs a recursive function selectMain which returns
a set of AC candidates H at each iteration (line 13).
The function selectMain returns a set of AC candidates that are under a certain branch characterized
by the instantiated CN N˜ and CR R˜. For example, selectMain would return a set of ACs with elements:
{(N˜
1, {N˜
1, N˜
2, N˜
4}, {R˜
0, R˜
1, R˜
3}),(N˜
1, {N˜
1, N˜
2, N˜
5}, {R˜
0, R˜
1, R˜
4}),
(N˜
1, {N˜
1, N˜
2, N˜
6}, {R˜
0, R˜
1, R˜
5}),(N˜
1, {N˜
1, N˜
3, N˜
4}, {R˜
0, R˜
2, R˜
3}),
(N˜
1, {N˜
1, N˜
3, N˜
5}, {R˜
0, R˜
2, R˜
4}),(N˜
1, {N˜
1, N˜
3, N˜
6}, {R˜
0, R˜
2, R˜
5})}
when N˜
1 and R˜
0 in Figure 5.7 are given as inputs and {(N˜
2, {N˜
2}, {R˜
1})} with inputs N˜
2 and R˜
1.
For each contract within N˜, all potential sub-level HCNs, that may use different CNs and CRs, are
collected (line 5-9). For C˜
1 and C˜
2 of N˜
1 in Fig 5.7, HC˜ are {(N˜
2, {N˜
2}, {R˜
1}),(N˜
3, {N˜
3}, {R˜
2})}
and {(N˜
4, {N˜
4}, {R˜
3}),(N˜
5, {N˜
5}, {R˜
4}),(N˜
6, {N˜
6}, {R˜
5})}, respectively. In line 10, we then take
101

Algorithm 6: selectACs(N˜
0, N˜ , R˜ , E, v, n)
input : A set of instantiated contract networks N˜ ; a set of instantiated CRs R˜ ; an evidence
library E; a function f; the maximum number of AC candidates n.
output: A set of instantiated AC candidates H.
1 Function selectMain(N˜, R˜, N˜ , R˜ , E, v, n):
2 H ← {(N, ˜ {N˜}, {R˜})}
3 HN˜ ← ∅
4 for C˜ ∈ N˜ do
5 HC˜ → ∅
6 for R˜′
:= (C˜′
, ψ, N˜′
) ∈ R˜ do
7 if C˜ = C˜′
then
8 Htmp → selectMain(N˜′
, R˜′
, N˜ , R˜ , E, v, n)
9 HC˜ → HC˜ ∪ Htmp
10 end
11 end
12 HN˜ → HN˜ × HC˜
13 end
14 H → H × HN˜
15 return selectHCNs(H, E, v, n)
16 return selectMain(N˜
0, ∅, N˜ , R˜ , E, v, n)
the cross product H1 × H2 between two sets of HCNs H1 = {H1,1, H1,2, . . . , H1,n1
} and H2 =
{H2,1, H2,2, . . . , H2,n2
} which is defined as follows:
H1 × H2 = {H′
1
, H′
2
, . . .}∀i ∈ [1, n1], j ∈ [1, n2], H′
i+j−1 = (N˜
1,i,0, N˜
1,i ∪ N˜
2,j , R˜
1,i ∪ R˜
2,j ) (5.4)
where Hk,i = (N˜
k,i,0, N˜
k,i, R˜
k,i). In line 11, we take the cross product again to include the CN N˜ and CR
R˜.
Finally, the function selectHCNS selects only the top n or smaller number of ACs with the highest
rankings according to the metric given by the function f (line 12). For instance, each AC candidate can be
evaluated using (5.3) such that the AC candidates with the highest completion metric are selected.
102

Algorithm 7: assessConf(T, E, W, R)
input : Top-level refinement T = (Cr, φr, Nr); library of confidence networks E; library of
decision rules W; set R of HCN refinements.
output: Confidence P(Cr), ⊥ if assessment fails; infeasibility certificate cert.
1 cert ← ⊥ and P, Q ← ⊥
2 for C ∈ Nr do
3 Rcurr ← ⊥
4 for R = (Cu, φ, Nl) ∈ R do
5 if C = Cu then Rcurr ← R; break;
6 end
7 if Rcurr = ⊥ then
8 P(C) ← inferConf(C, E)
9 else
10 P(C), certif icate ← assessConf(Rcurr, E, W, R)
11 if P(C) = ⊥ then return ⊥, cert
12 end
13 end
14 Q ← decideConf (P, E, W)
15 if Q = ⊥ then return null, cert
16 else return propagateConf(P, Rcurr), cert
5.7.2 Assessing AC Candidates
Given the selected AC candidates as a set of HCNs and a library E of confidence networks, we employ a
combination of probabilistic and rule-based automated reasoning [106] to quantify the confidence associated with an AC candidate H as summarized by Algorithm 7. The algorithm recursively traverses H
using a depth-first-search approach, propagating confidence values up from lower-level CNs to higherlevel ones. Specifically, for each evidential contract encountered during traversal, the algorithm uses one
or more corresponding networks in E to calculate its confidence value. If a contract is not evidential, the
confidence value is propagated from its lower-level CN by recursively calling assessConf. However, if any
confidence propagation rule is violated (as evaluated by decideConf), the validation process terminates
with a failure. For example, the decision-making step in our algorithm can apply a simple rule requiring
that the majority of the premises in an evidential contract must have a high confidence level according to
a pre-determined threshold.
103

5.7.2.1 Discretizing Confidence via Confirmation Measures
We utilize confirmation measures to convert from continuous probabilities to discrete values to enable our
rule based reasoning. The claim of a contract maps to the hypothesis of interest for the application of
confirmation measures. In particular, we utilize the “justificiation" measure of [128, 8] as the confirmation
measure to convert continuous probabilities into appropriate, discrete confidence belief values for our
rule-based decision making.
We can classify a confidence value into either of the three categories: high and low. The threshold
between the categories are determined by an hyperparameter γ, which represents the allowed “relaxation”
to confirm the claim given the evidence items. Setting γ = 1 requires the optimal set of evidence items to
be present in order to confirm the claim. System designers can generate various thresholds for different
values of γ to determine which items of evidence are sufficient.
HIGH: CM(H, e) ≥ ℓH
LOW: 0 ≤ CM(H, e) < ℓH
where ℓH = γ ∗ maxe CM(H, e) where γ ∈ [0, 1].
By pairing BNs with confirmation measures, our framework can automatically and appropriately assess
whether the set of evidence sufficiently supports a given argument. This automation enables rapid system
evaluation to enhance development or assurance efforts.
5.8 Case Studies
In this section, we present four case studies. For the first and the second case studies: 1) the correctness
of software and 2) the safety of an autonomous driving system, we evaluate the validation and assessment
104

1
A: ∧
G:

A: ∧
G:

A: ∧
G:

A: ∧
G:

2 ≔ ∧ ↔
2
3 3 ≔ ∧ ↔
1 ≔ ∧ ↔

A: ∧
G:

A: ∧
G:

A: ∧ ∧
G:

A: ℎ ∧
G:

A: ∧ ℎ ∧ ∧
G:

0 0 ≔ ∧ ↔
Contract
Network Contract High
Threshold
Medium
Threshold
1
1 0.99 0.95
2 0.9 0.8
⋮ ⋮ ⋮ ⋮
4
1 0.98 0.95
2 0.99 0.95
Figure 5.8: HSCN for the correctness of a software module and table for classifying confidence levels.
part of the overall framework. We evaluate the performance of the overall framework on the third and the
fourth case studies, which synthesize and assess the arguments arguing the security of 1) the Advanced
Fail Safe (AFS) module for the ArduCopter rotorcraft [7] given a set of evidence items [127] and 4) an
industrial-level aerospace system.
We implemented the validation and assessment module as a Python package. SMT problems are solved
using Z3 [38], while the Python package pgmpy [6] is used to capture the confidence networks and perform
Bayesian inference. Experiments are executed on an Intel core i3 processor with 32-GB RAM.
5.8.1 Software Correctness Assurance
In this case study, we illustrate the advantages of our approach by comparing it with a confidence quantification method based on translating the entire AC into a single BN to perform probabilistic inference
monolithically [42, 154] and infer a confidence measure for the top-level claim. We validate the HSCN
in Figure 5.8 aiming to assess the top-level claim with a confidence level δ
∗ = 0.9. Multiple sub-claims
based on formal verification, requirement, and structural test coverage support the top-level claim that
“the software module is correct,” inspired by the prescriptions of the DO-178C standard [119]. We assume
105

()

()

0.999 0.001

()

()

0.999 0.001

1 0
0 1
⋮ ⋮ ⋮ ⋮ ⋮

0.99 0.01

()

0.999 0.001

()

1 0
0 1
⋮ ⋮ ⋮ ⋮ ⋮

()

1 0
0.9 0.1
0.7 0.3
0 1

()

()

()

()

()

()

()
Figure 5.9: Confidence network for C1 and C2 of N4.

ℎ

Figure 5.10: A single BN used to reason about the confidence in the argument of Figure 5.8.
a library of confidence networks supporting all the evidential contracts, including the one in Figure 5.9,
a set of thresholds for classifying confidence levels as in Figure 5.8, and a decision rule requiring that all
the confidence values for the premises (or sub-claims) of a claim be High for successful confidence propagation. We place a higher weight on the outcome of decision coverage (DC), C2 of N4, than on modified
condition/decision coverage (MCDC), C1 of N4, by using a higher threshold to determine whether the confidence for DC (0.99) is high enough. The decision to allocate higher weight on the outcome of DC follows
from the fact that the criteria for DC are less restrictive than those for MCDC and a lower confidence value
in the outcome of DC denotes a potential flaw in the development process.
As shown in Table 5.1, we introduce three scenarios assigning different confidence levels to predicates
DCO and MCDCO in Fig 5.9, stating that “the DC (or MCDC) testing oracle is correct,” due to the
available evidence. In all scenarios, we check the soundness of the conditional refinements by solving
SMT problems and match each evidential contract to an appropriate confidence network. For scenario 1,
106

Scenario P(MCDCO) P(DCO) Confidence Level
on C1 of N4
Confidence Level
on C2 of N4
Top-Claim Confidence
(or Failure Reason)
ARACHNE Single BN
1 0.99 0.995 High (0.9900) High (0.9950) 0.9767 0.9826
2 0.99 0.97 High (0.9900) Medium (0.9701) Rule Violation 0.9800
3 0.995 0.99 High (0.9950) Medium (0.9900) Rule Violation 0.9836
Table 5.1: Results for the case study on software correctness.
ARACHNE provides a confidence value of 0.9767 while inference on the single BN shown in Figure 5.10
yields 0.9826 for the top-level claim. In both cases, the evidence is determined as sufficient to support the
claim. In scenario 2, we assume instead that the belief in DCO decreases, e.g., due to the realization that
an outdated oracle has been used. ARACHNE identifies the low-confidence claim C2 of N4, which has
now Medium confidence, and returns a failure due to the violation of the decision rule. On the other hand,
a method using the single BN in Figure 5.10 fails to effectively isolate the potential gap: the confidence
in the top-level claim, 0.98, is still deemed as admissible (≥ 0.9), and the reduced belief in DCO gets
“masked” by the overall high confidence. In scenario 3, we assume that the belief in MCDCO increases
while the one in DCO decreases symmetrically to scenario 1. In this case, the claim on DC (C2 of N4) does
not pass ARACHNE’s threshold for sufficient confidence. The confidence level in C2 of N4 is classified as
Medium and the validation leads, again, to a failure due to violation of the decision rule. On the other hand,
inference on the single BN fails to recognize the different weights placed on DCO and MCDCO. Since
the confidence in the top-level claim is 0.9836, the evidence is considered as sufficient despite the different
roles played by C1 and C2 of N4 in the decision-making process. Overall, ARACHNE can circumvent the
limitations of monolithic inference, including the “masking” of weak premises (as shown in scenario 2)
and the equal weighing of evidence (as shown in scenario 3) by virtue of its hierarchical approach and
propagation strategy.
107

: ∧=1
( ∧ ∧ )
:

0: ∧
↔
: ∧=1
( ∧ )
:
: ∧=1

:

: 1 ∧ 1
: 1
…

1: ∧=1

↔
: 1
:1
…

2: ∧=1

↔
0
1
2
Figure 5.11: HSCN for an autonomous vehicle.
5.8.2 Scalable Assurance for Autonomous Driving Systems
We assess the scalability of the proposed framework by constructing an HSCN for an autonomous vehicle,
as shown in Figure 5.11, inspired by some of the criteria proposed in the literature [126, 88] to assess safety
and reliability. We again compare our approach with a method using monolithic inference on a single BN.
In the proposed AC, system hazards are mitigated via a divide-and-conquer approach by mitigating
the hazards associated with the perception sub-system and the driving policy sub-system. The overall
confidence in the performance of the system is then computed by combining the confidence in these two
legs of the arguments. Each component in the perception sub-system operates independently from the
other components and is subject to testing methods to assess the performance as well as fault-tree analysis against specific hazards. The driving policy is, instead, specified by a set of rules, derived from the
responsibility-sensitive safety (RSS) model [126] to guarantee that accidents will never be caused by the
autonomous vehicle in control. We assume that each RSS-derived rule can be independently verified by a
set of formal methods.
108

0 50 100 150 200 250 300 350 400
Number of Contracts
10
2
10
1
10
0
10
1
10
2
10
3
Execution Time [s]
ARACHNE
Single-BN
(a)
0 50 100 150 200 250 300 350 400
Number of Contracts
10
2
10
1
10
0
10
1
10
2
10
3
Execution Time [s]
ARACHNE
Single-BN
(b)
0 5000 10000 15000 20000 25000
Number of Contracts
0
500
1000
1500
2000
2500
3000
3500
4000
Execution Time [s]
Horizontal
Vertical
(c)
Figure 5.12: Execution times for validation and confidence assessment using ARACHNE and a single-BN approach
when the HSCN is expanded horizontally (a) or vertically (b). Runtime performance of ARACHNE for horizontallyexpanded and vertically-expanded HSCNs (c).
109

We expand the AC in Figure 5.11 horizontally or vertically. In the horizontal case, we fix the number
of argumentation layers, and increase the number of components and RSS rules to M, which results in an
increased number of contracts in N2 and N3. The total number of contracts in the HSCN is 2M + 3. Since
each evidential contract is supported by a BN with kc nodes, a single BN modeling the same argument has
2M(kc+1)+3 nodes. In the vertical case, we assume that the mitigation of undesirable behaviors for each
component or RSS rule hinges on the analysis of the sub-components or their associated RSS rules. The
maximum number of contracts within each contract network is now limited to 2, while the total number
of argumentation layers and contracts in the HSCN is 2 +⌈log2 M⌉ and 4M + 1, respectively. In this case,
the total number of the nodes in the single BN is 2M(kc + 2) + 1.
As reported in Figure 5.12a and 5.12b, our approach scales well with an increasing number of components and RSS rules. Computing the confidence in the top-level claim for up to 400 contracts takes less
than 100 s. On the other hand, inference on the single BN reaches a timeout threshold of 1 h for less
than 50 contracts. This result is consistent with the asymptotic complexity of Bayesian inference, which
is exponential in the width of the elimination order w, a measure of the maximum number of neighbors
of a BN node [36]. For example, the complexity of variable elimination for exact Bayesian inference is
O(k
2
e
w), where k is the number of BN nodes and w is the width of the elimination order. By virtue of our
compositional approach, confidence computations require 2M inference tasks on BNs with a small number of nodes, bounded by kc, and a constant width wc, which amounts to linear complexity (O(k
2
cMewc )).
On the other hand, the single BNs with 2M(kc + 1) + 3 and 2M(kc + 2) + 1 nodes and maximum widths
of M and 2, respectively, for horizontally and vertically expanded arguments, lead to the observable exponential and quadratic explosions of execution time for inference tasks, with complexity O(k
2
cM2
eM) and
O(k
2
cM2
e
2
), respectively.
As shown in Figure 5.12c, validating HSCNs with more than 15, 000 contracts incurs additional overhead due to the cost for finding a matching confidence network for each evidential contract, currently
110

based on linear search, which becomes inefficient for large confidence libraries. Moreover, validating
vertically-expanded HSCNs takes less time than horizontally-expanded HSCNs due to the different size of
the associated SMT problems. Solving multiple smaller SMT instances in a vertically-expanded HSCN is
less expensive than solving just a few, but larger, SMT instances in a horizontally-expanded HSCN. Overall,
HSCNs with more than 24, 000 contracts, organized in 3 layers and 18 layers in the horizontally and vertically expanded cases, respectively, and using a library of 24, 000 confidence networks, can be validated
in less than an hour.
5.8.3 Advanced Fail Safe Module of ArduPilot
ArduPilot is an open source platform for controlling vehicles including rovers, fixed-wing aircraft, and rotorcraft. It is a software stack that performs estimation, control, and communication between the software
and hardware. In this experiment, we focus on the ArduPilot modules used for the ArduCopter [7] rotorcraft. We created a library consisting of 17 patterns that incorporate system development best practices
for compliance with DO-178C, DO-333, and vetted security arguments from domain experts.
5.8.4 Security of an Industrial Aerospace System
Our approach was also validated on an industrial aerospace system to argue that the system meets certain
security requirements. The results are provided in Table 5.2 under the name Industrial Case Study.
5.8.5 AACE in Action
5.8.5.1 Synthesis
Given a top-level argumentation goal, “the ArduCopter software s is acceptably secure”, the pattern library,
and a set of desired security properties ℓ, with |ℓ| as the number of properties, a total of 3
|ℓ| AC candidates
were generated, as shown in Table 5.2. Figure 5.13 compactly represents the set of all possible ACs for an
111

arbitrary |ℓ|. The top-level goal is supported by the completeness (C3 of N1) and correctness (C4 of N1)
of the software specification, i.e., the set of requirements that must be satisfied, including a set of security
properties, the correctness of the software implementation with respect to the security requirements (C2
of N1), and the satisfaction of the security properties of interest, e.g., by eliminating or mitigating certain
system-specific security hazards, (C1 of N1). Parts of the HCN for supporting C2, C3, and C4 of N1 are
omitted due to the limited space.
AC synthesis considers three methods to assess the satisfaction of a security property pi ∈ ℓ (Ci of N2),
namely, architecture analysis (N6,1), model checking (N6,2), and static analysis (N6,3). These methods are
denoted by the conditional refinements (R2,1,1, R2,1,2, and R2,1,3) represented by dotted lines in Figure 5.13.
Not all the methods can support every security property. AC synthesis only provides candidates whose
conditional refinements connect the properties to the appropriate supporting methods. For example, if a
multi-rate, quasi-periodic model of computation is adopted, where processes operate periodically at their
individual periods and communicate via bounded latency channels, the satisfaction of a property such
as “the processing latency for a message between a pair of communicating AFS subsystems is bounded”
can be supported by the evidence generated by an architecture modeling and timing analysis tool geared
toward the selected model of computation [17]. On the other hand, the security property that “no denial of
service occurs due to triggering of nullness exceptions” can be better supported by evidence generated via
static analysis. In our example, with a total of |ℓ| = 4 properties, it took 12 s to generate 3
4 AC candidates
(4 properties with 3 options for refinement), effectively capturing all the possible means of compliance and
evaluation strategies.
5.8.5.2 Validation
To test the selection capability of our framework, we designed the ArduCopter case study to only have
one fully supported candidate, out of a total of 81 candidates. However, AC validation also retained 9 AC
112

A: _ G: __ , ଴,ଵ ≔ ___(, ) ∧ ___() ∧ ___() ∧ ___() ↔ __(, ) ଴,ଵ
A: _ G: __ , ଵ …
ଵ,ଵ ≔∧௣೔∈௟ __(, ௜) ↔ ___(, ) ଵ,ଵ ,
A: _ G: ℎ_ , ଵ ,
A: _ G: __ , ଵ
A: _ G: ___ ,
A: _ G: ___
A: ⊤
G: ___
A: ⊤
G: ___ ,
A: _ G: _ , ଵ ଶ,ଵ,ଷ ≔ __ , ଵ ↔ __ , ଵ ଶ,ଵ,ଶ ଶ,ଵ,ଷ ଶ,ଵ,ଶ ≔ _ , ଵ ↔ __ , ଵ
Refinement
Options for
Refinement
ଶ,ଵ,ଵ ≔ ℎ_ , ଵ ↔ __ , ଵ ଶ,ଵ,ଵ
Figure 5.13: Compact representation of AC candidates for arguing the security of the ArduCopter software
in HCN form.
Case Study Pattern
Library Size
Security
Property Count
Total
Candidates
Valid
Candidates
Average Claims
per Candidate Synthesis (s) Validation (s)
Selection Assessment
ArduCopter
17 2 3
2 1 43 10 18 69
17 4 3
4 1 50 12 21 82
17 6 3
6 1 58 16 26 92
17 8 3
8 1 66 18 41 102
17 10 3
10 1 73 21 152 119
17 12 3
12 1 81 25 3,143 832
Industrial
Case Study 91 N/A 6 × 105 10 652 819 1,683 3,322
Table 5.2: Performance of the AC generation framework for the ArduCopter software and an industriallevel aerospace system.
candidates with the highest completion scores to suggest AC candidates requiring the least additional evidence items. The candidate with the highest completion score was successfully validated with confidence
0.9836 [106]. Its assessment, consisting of 24 refinement steps, took 8 s.
5.8.5.3 Performance Evaluation
We report the performance and scalability of the AC generation framework by increasing the number of
total AC candidates from 9 to 6 × 105
in Table 5.2. We observed a sub-linear increase in the execution
time for the generation and confidence assessment of ACs as the total number of AC candidates increased.
The time spent for selecting the ACs grew linearly with the total generated candidates. Larger ACs in the
113

industrial case study resulted in greater execution time for confidence assessment. When applied to an
augmented version of the industrial case study, our framework could synthesize 1024 AC candidates in
about 2,100 s from a library of 91 patterns. Overall, our generation framework was able to generate over
6 × 105 AC candidates and recommend those with the highest confidence values and completion metrics
in less than 100 minutes.
5.9 Chapter Summary
We presented a framework for computer-aided generation and validation of ACs leveraging domain
knowledge-based assurance patterns. ACs are formalized as hierarchical contract networks, which allow
for efficient, modular synthesis and validation of arguments. Empirical results show that our framework is
able to efficiently generate AC candidates for representative real-world systems in a scalable manner. We
intend to improve it by normalizing evidence items from different sources, by ranking candidates using
a predictive cost model, and by introducing mechanisms for the elicitation of confidence models. While
generating assurance patterns and confidence models may require significant initial effort, we also aim to
investigate methods to alleviate this burden by providing templates for computer-aided pattern elicitation,
formalization, and validation.
114

Chapter 6
Conclusions and Future Work
In this chapter, we summarize the main contributions of this dissertation. Then, we identify the remaining
challenges and propose future research directions in the furtherance of design, verification, and assurance
methods for cyber-physical systems (CPSs).
6.1 Conclusions
This dissertation focused on the challenges in designing, ensuring, and assuring the safety and security of modern cyber-physical systems (CPSs). These systems, which integrate cyber components like
computing and control with physical processes, have become increasingly complex, heterogeneous, interconnected, autonomous, and adaptable. While these advancements offer potential, they also present
formidable challenges, particularly in ensuring the reliability and trustworthiness of CPS as they integrate
learning-enabled components. Moreover, the current lack of mature tools and methodologies for providing formal assurances has contributed to ongoing skepticism among regulatory bodies and the public
regarding the safety and security of these systems.
To address these challenges, this dissertation highlighted the importance of effectively capturing and
managing the diverse, and often conflicting, requirements from various stakeholders. Poorly defined or
conflicting requirements can lead to system failures and prolonged development timelines, making their
115

proper management essential. Furthermore, the complexity of CPS can lead to emergent behaviors that
complicate design decisions, especially when these decisions must account for interconnected aspects of
the system. Additionally, the uncertainties inherent in CPS, ranging from environmental noise to adversarial conditions, further complicate their design and operation. Finally, the absence of universally accepted
assurance standards poses a significant obstacle to the timely deployment of new CPS products, as existing
standards are often domain-specific and not easily generalized.
In Chapter 3, we formally defined the design, verification, and control synthesis problems for CPSs consisting of agents with individual objectives, using the concept of reward contracts. These contracts enabled
the specification of these agents’ complex, reward-driven behaviors using signal temporal logic (STL), and
reward functions. To capture the interactions between components, including scenarios of cooperation
and non-cooperation, we introduced a novel set of contract composition operators. Then, we provided
effective optimization-based encodings for contract-based verification and control synthesis problems, using mixed-integer programming (MIP). We illustrated the effectiveness of the proposed framework on a
set of case studies with connected and autonomous vehicles on a various traffic scenarios.
In Chapter 4, we presented an automated framework for the quantitative verification and design space
exploration of CPS under uncertainty. This framework leverages the robust semantics of stochastic A/Gs
contracts, expressed in the probabilistic logic formalism StSTL. We formulated the quantitative verification
and design space exploration problems as bi-level optimization problems and showed that these optimization problems could be effectively solved a specific class of stochastic systems and a subset of bounded-time
StSTL formulas. The approach was validated through the design and verification of a multi-sensor perception system and an adaptive cruise control (ACC) system.
Finally, we expanded the application horizon of A/G contracts to post-design time assurance of CPSs
in Chapter 5, automating the compliance checks with regulatory standards and system designer-defined
requirements. We expedited this manual and prescriptive process by presenting an A/G contract-based
116

method for the automated synthesis and evaluation of assurance arguments. We utilized a network of interconnected stochastic contracts to formalize an assurance argument, validate its logical correctness, and
quantify its risk, using a coordinated approach that combines logic and Bayesian reasoning. We showed
that our method could circumvent the limitations of previous approaches, such as the “masking” of lowconfidence premises and the equal weighting of claims, and could scale using case studies motivated by
safety-critical avionic and automotive applications.
6.2 Future Work
6.2.1 Reasoning about Stochastic Systems With Non-Gaussian Distributions
Utilizing StSTL for capturing probabilistic behaviors, stochastic A/G contracts framework has been introduced to conveniently balance expressiveness with support for computationally tractable encodings of
analysis and synthesis tasks in terms of optimization problems [100, 105]. However, the encodings were
available only for a class of discrete-time linear systems subject to Gaussian noises while the noises in
CPSs may follow non-Gaussian probability distributions. For instance, a traffic flow model can be modeled
using Poisson distribution and a sensor noise can be modeled using truncated Gaussian distribution where
the noise is bounded from below or above.
A promising future direction includes extending the scope of the noise in the system models, limited
to Gaussian distribution in [100, 105], to other non-Gaussian distributions such as uniform and truncated
Gaussian. Gaussian random variables have been widely advocated for quantification of uncertainty since
its sum and difference is convenient to compute using a closed form expression, as well as their expectations
and variances that are needed for the mathematical encoding of the CPS behaviors [100]. However, it is
usually challenging to compute a closed-form expression of the system behavior, that may correspond to
the sum and difference of random variables having non-Gaussian distributions.
117

Future research could focus on developing methods to approximate the distribution of system behaviors:
µ(ξk) = a
T xk + b
T uk + c
T
zk + d
T wk + e
T
vk + f, (6.1)
by approximating the sum of non-Gaussian random variables, e.g, wk and vk. One potential approach
is to discretize these distributions as probability mass functions (pmfs), and sum those variables using
convolutions. These pmfs could then be used to compute the closed-form expressions of the key metrics
such as expectation E[·], variance V ar[·], and the quantile function F
−1
(·), facilitating the formulation of
mixed-integer constraints using Equation (4.12). Additionally, exploring the conditions under which the
sum of multiple uniform random variables can be approximated by a Gaussian distribution, in accordance
with the Central Limit Theorem (CLT), could be beneficial.
6.2.2 Investigating Adaptive Partition Mechanisms
We could leverage the robustness estimates to guide design space partition mechanisms as a promising
direction for enhancing the scalability of parameter synthesis algorithms. Currently, these robustness
estimates, reflecting the margin by which a design satisfies certain properties within the design space
partition, are not used to direct the parameter search [105]. Although these margins could inform and
potentially optimize the design space partitioning process, our current approach explores design space
partitions in a first-in, first-out (FIFO) manner, as described in lines 3 and 11 of Algorithm 4.
Future direction could be a method utilizing the decaying ϵ-greedy policy which has been employed to
address the explore-exploit dilemma which occurs often, for example, in reinforcement learning problems
such as multi-armed bandit problem. This method could utilize the minimum robustness estimates of the
UNDET partitions as the rewards and a decaying probability ϵ =
1
1+nβ where n is the number of steps and
β < 1 is a scaling factor. In line 3 of Algorithm 4, the UNDET partition with the largest robustness estimate
118

will be chosen, classified, and partitioned (line 4-12 of Algorithm 4) with probability 1 − ϵ (exploitation).
With probability ϵ, any partition will be randomly chosen, classified, and partitioned (exploration). We
expect to balance the exploration and exploitation for solving the parameter synthesis problems by actively
utilizing the proposed StSTL robustness estimates as rewards in reinforcement learning setups.
119

Bibliography
[1] Martín Abadi and Leslie Lamport. “Conjoining Specifications”. In: ACM Trans. Program. Lang.
Syst. 17.3 (May 1995), pp. 507–535. issn: 0164-0925. doi: 10.1145/203095.201069.
[2] Ernest W. Adams. A Primer of Probability Logic. Center for the Study of Language and
Information, 1996.
[3] Adelard LLP. “Assurance and safety case environment (ASCE)”. In: (2011). url:
https://www.adelard.com/asce/.
[4] Adelard LLP. Claims, Arguments and Evidence (CAE).
https://www.adelard.com/asce/choosing-asce/cae.html. 2019 (accessed October 23rd, 2020).
[5] Rajeev Alur, Tomás Feder, and Thomas A. Henzinger. “The Benefits of Relaxing Punctuality”. In:
J. ACM 43.1 (Jan. 1996), pp. 116–146. issn: 0004-5411. doi: 10.1145/227595.227602.
[6] Ankur Ankan and Abinash Panda. “pgmpy: Probabilistic graphical models using python”. In:
Proc. of the 14th Python in Science Conf. (SCIPY 2015). Citeseer. 2015.
[7] ArduPilot Dev Team. ArduCopter. 2023. url: https://ardupilot.org/copter/.
[8] David Atkinson. “Confirmation and justification. A commentary on Shogenji’s measure”. en. In:
Synthese 184.1 (Jan. 2012), pp. 49–61. issn: 0039-7857, 1573-0964. doi: 10.1007/s11229-009-9696-4.
[9] Il Bae, Jaeyoung Moon, and Jeongseok Seo. “Toward a comfortable driving experience for a
self-driving shuttle bus”. In: Electronics 8.9 (2019), p. 943.
[10] Georgios Bakirtzis, Tim Sherburne, Stephen Adams, Barry M. Horowitz, Peter A. Beling, and
Cody H. Fleming. “An ontological metamodel for cyber-physical system safety, security, and
resilience coengineering”. In: Software and Systems Modeling 21.1 (2022), pp. 113–137. issn:
1619-1374. doi: 10.1007/s10270-021-00892-z.
[11] Jonathan F. Bard and James E. Falk. “An explicit solution to the multi-level programming
problem”. In: Computers & Operations Research 9.1 (1982), pp. 77–100. issn: 0305-0548.
[12] Matthew R Barry. “CertWare: A workbench for safety case production and analysis”. In:
Aerospace conference. 2011, pp. 1–10.
120

[13] Sebastian S. Bauer, Alexandre David, Rolf Hennicker, Kim Guldstrand Larsen, Axel Legay,
Ulrik Nyman, and Andrzej Wąsowski. “Moving from Specifications to Contracts in
Component-Based Design”. In: Fundamental Approaches to Software Engineering. 2012.
[14] Ali Ben Mrad, Veronique Delcroix, Mohamed Amine Maalej, Sylvain Piechowiak, and
Mohamed Abid. “Uncertain Evidence in Bayesian Networks: Presentation and Comparison on a
Simple Example”. In: Advances in Computational Intelligence. Ed. by Salvatore Greco,
Bernadette Bouchon-Meunier, Giulianella Coletti, Mario Fedrizzi, Benedetto Matarazzo, and
Ronald R. Yager. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 39–48. isbn:
978-3-642-31718-7.
[15] Albert Benveniste, Benoît Caillaud, Dejan Nickovic, Roberto Passerone, Jean-Baptiste Raclet,
Philipp Reinkemeier, Alberto Sangiovanni-Vincentelli, Werner Damm, Thomas A. Henzinger, and
Kim G. Larsen. “Contracts for System Design”. In: Foundations and Trends in Electronic Design
Automation 12.2-3 (2018), pp. 124–400. issn: 1551-3939. doi: 10.1561/1000000053.
[16] Albert Benveniste, Benoıt Caillaud, Dejan Nickovic, Roberto Passerone, Jean-Baptiste Raclet,
Philipp Reinkemeier, Alberto Sangiovanni-Vincentelli, Werner Damm, Thomas A Henzinger,
Kim G Larsen, et al. “Contracts for system design”. In: Foundations and Trends in Electronic Design
Automation 12.2-3 (2018), pp. 124–400.
[17] Devesh Bhatt, Hao Ren, Anitha Murugesan, Jason Biatek, Srivatsan Varadarajan, and
Natarajan Shankar. “Requirements-Driven Model Checking and Test Generation for
Comprehensive Verification”. In: NASA Formal Methods. Cham: Springer International Publishing,
2022, pp. 576–596. isbn: 978-3-031-06773-0.
[18] Patrick Billingsley. Probability and measure. John Wiley & Sons, 2008.
[19] Robin Bloomfield and John Rushby. “Assurance 2.0”. In: arXiv preprint arXiv:2004.10474 (2020).
[20] C. Blundell. “Assume-guarantee testing for software components”. English. In: IET Software 2 (6
Dec. 2008), 547–562(15). issn: 1751-8806. url:
https://digital-library.theiet.org/content/journals/10.1049/iet-sen_20080012.
[21] Stephen Boyd and Lieven Vandenberghe. Convex Optimization. Cambridge University Press, 2004.
doi: 10.1017/CBO9780511804441.
[22] Samuel Burer and Adam N. Letchford. “Non-convex mixed-integer nonlinear programming: A
survey”. In: Surveys in Operations Research and Management Science 17.2 (2012), pp. 97–106. issn:
1876-7354. doi: https://doi.org/10.1016/j.sorms.2012.08.001.
[23] Ali Tevfik Buyukkocak, Derya Aksaray, and Yasin Yazıcıoğlu. “Planning of Heterogeneous
Multi-Agent Systems Under Signal Temporal Logic Specifications With Integral Predicates”. In:
IEEE Robotics and Automation Letters 6.2 (2021), pp. 1375–1382. doi: 10.1109/LRA.2021.3057049.
[24] California DMV. Autonomous Vehicle Collision Reports. url:
https://www.dmv.ca.gov/portal/vehicle-industry-services/autonomous-vehicles/autonomousvehicle-collision-reports/ (visited on 10/21/2022).
121

[25] California DMV. Disengagement reports. url: https://www.dmv.ca.gov/portal/vehicle-industryservices/autonomous-vehicles/disengagement-reports/ (visited on 11/01/2022).
[26] E. F. Camacho and C. Bordons. “Introduction to Model Predictive Control”. In: Model Predictive
control. London: Springer London, 2007, pp. 1–11. isbn: 978-0-85729-398-5. doi:
10.1007/978-0-85729-398-5_1.
[27] E. F. Camacho and C. Bordons. “Introduction to Model Predictive Control”. In: Model Predictive
control. London: Springer London, 2007, pp. 1–11. doi: 10.1007/978-0-85729-398-5_1.
[28] Mark Campbell, Magnus Egerstedt, Jonathan P. How, and Richard M. Murray. “Autonomous
driving in urban environments: approaches, lessons and challenges”. en. In: Philosophical
transactions. Series A, Mathematical, physical, and engineering sciences 368.1928 (2010),
pp. 4649–4672. issn: 1364-503X. doi: 10.1098/rsta.2010.0110.
[29] M. Canale and S. Malan. “Robust Design of PID Based ACC S&G Systems”. In: IFAC Proceedings
Volumes 36.18 (2003). 2nd IFAC Conference on Control Systems Design (CSD ’03), Bratislava,
Slovak Republic, 7-10 September 2003, pp. 333–338. issn: 1474-6670. doi:
https://doi.org/10.1016/S1474-6670(17)34690-6.
[30] Carmen Cârlan, Vivek Nigam, Sebastian Voss, and Alexandros Tsalidis. “ExplicitCase:
Tool-support for creating and maintaining assurance arguments integrated with system models”.
In: International Symposium on Software Reliability Engineering Workshops (ISSREW). 2019,
pp. 330–337.
[31] Hei Chan and Adnan Darwiche. “On the revision of probabilistic beliefs using uncertain
evidence”. In: Artificial Intelligence 163.1 (2005), pp. 67–90. issn: 0004-3702. doi:
https://doi.org/10.1016/j.artint.2004.09.005.
[32] Maria Charitidou and Dimos V. Dimarogonas. “Signal Temporal Logic Task Decomposition via
Convex Optimization”. In: IEEE Control Systems Letters 6 (2022), pp. 1238–1243. doi:
10.1109/LCSYS.2021.3090980.
[33] Alessandro Cimatti and Stefano Tonetta. “Contracts-refinement proof system for
component-based embedded systems”. In: Science of Computer Programming 97, Part 3 (2015),
pp. 333–348. issn: 0167-6423.
[34] Edmund M. Clarke, Thomas A. Henzinger, Helmut Veith, and Roderick Bloem. Handbook of Model
Checking. Springer International Publishing, 2018. isbn: 978-3-319-10575-8. doi:
10.1007/978-3-319-10575-8_1.
[35] W. Damm, H. Hungar, B. Josko, T. Peikenkamp, and I. Stierand. “Using contract-based component
specifications for virtual integration testing and architecture design”. In: Design, Automation, Test
in Europe. Mar. 2011, pp. 1–6.
[36] Adnan Darwiche. Modeling and Reasoning with Bayesian Networks. Cambridge University Press,
2009. doi: 10.1017/CBO9780511811357.
122

[37] Jose Luis de la Vara, Alejandra Ruiz, and Gaël Blondelle. “Assurance and certification of
cyber-physical systems: The AMASS open source ecosystem”. In: Journal of Systems and Software
171 (2021), p. 110812. issn: 0164-1212. doi: https://doi.org/10.1016/j.jss.2020.110812.
[38] Leonardo De Moura and Nikolaj Bjørner. “Z3: An Efficient SMT Solver”. In: 2008.
[39] Jonathan DeCastro, Lucas Liebenwein, Cristian-Ioan Vasile, Russ Tedrake, Sertac Karaman, and
Daniela Rus. “Counterexample-Guided Safety Contracts for Autonomous Driving”. In: Proceedings
of the 13th International Workshop on the Algorithmic Foundations of Robotics (WAFR). Dec. 2018.
[40] Stephan Dempe. Foundations of Bilevel Programming. Springer New York, NY, 2002. isbn:
978-0-306-48045-4. doi: 10.1007/0-306-48045-X_1.
[41] A. P. Dempster. “Upper and Lower Probabilities Induced by a Multivalued Mapping”. In: The
Annals of Mathematical Statistics 38.2 (1967), pp. 325–339.
[42] E. Denney, G. Pai, and I. Habli. “Towards Measurement of Confidence in Safety Cases”. In: 2011
Int. Symp. on Empirical Software Engineering and Measurement. 2011.
[43] Ewen Denney, Ganesh Pai, and Josef Pohl. “AdvoCATE: An assurance case automation toolset”.
In: Int. Conf. on Computer Safety, Reliability, and Security. Springer. 2012, pp. 8–21.
[44] Jyotirmoy V Deshmukh, Alexandre Donzé, Shromona Ghosh, Xiaoqing Jin, Garvit Juniwal, and
Sanjit A Seshia. “Robust online monitoring of signal temporal logic”. In: Formal Methods in System
Design 51.1 (Aug. 2017), pp. 5–30.
[45] Tatiana Domingues de Almeida Diego Castro Fettermann Caroline Gobbo Sá Cavalcante and
Guilherme Luz Tortorella. “How does Industry 4.0 contribute to operations management?” In:
Journal of Industrial and Production Engineering 35.4 (2018), pp. 255–268. doi:
10.1080/21681015.2018.1462863.
[46] Alexandre Donze, Oded Maler, Ezio Bartocci, Dejan Nickovic, Radu Grosu, and Scott A Smolka.
“On Temporal Logic and Signal Processing”. In: Proceedings of ATVA 2012, the 10th International
Symposium on Automated Technology for Verification and Analysis. LNCS/Springer. 2012,
pp. 92–106.
[47] Alexandre Donzé, Thomas Ferrere, and Oded Maler. “Efficient robust monitoring for STL”. In:
Computer Aided Verification. Springer. 2013, pp. 264–279.
[48] Alexandre Donzé, Thomas Ferrère, and Oded Maler. “Efficient Robust Monitoring for STL”. In:
Computer Aided Verification. Ed. by Natasha Sharygina and Helmut Veith. Springer Berlin
Heidelberg, 2013, pp. 264–279. isbn: 978-3-642-39799-8.
[49] Alexandre Donzé and Oded Maler. “Robust Satisfaction of Temporal Logic over Real-Valued
Signals”. In: Formal Modeling and Analysis of Timed Systems. Ed. by Krishnendu Chatterjee and
Thomas A. Henzinger. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010, pp. 92–106. isbn:
978-3-642-15297-9.
123

[50] Rick Durrett. Probability: Theory and Examples. 4th ed. Cambridge Series in Statistical and
Probabilistic Mathematics. Cambridge University Press, 2010.
[51] Georgios E. Fainekos and George J. Pappas. “Robust Sampling for MITL Specifications”. In:
Proceedings of the 5th International Conference on Formal Modeling and Analysis of Timed Systems.
FORMATS’07. Salzburg, Austria: Springer-Verlag, 2007, pp. 147–162. isbn: 3540754539.
[52] Georgios E. Fainekos and George J. Pappas. “Robustness of Temporal Logic Specifications for
Continuous-Time Signals”. In: Theor. Comput. Sci. 410.42 (Sept. 2009), pp. 4262–4291. issn:
0304-3975. url: https://doi.org/10.1016/j.tcs.2009.06.021.
[53] Samira S. Farahani, Vasumathi Raman, and Richard M. Murray. “Robust Model Predictive Control
for Signal Temporal Logic Synthesis”. In: IFAC-PapersOnLine 48.27 (2015). Analysis and Design of
Hybrid Systems ADHS, pp. 323–328. issn: 2405-8963. doi:
https://doi.org/10.1016/j.ifacol.2015.11.195.
[54] Marcello Farina, Luca Giulioni, Lalo Magni, and Riccardo Scattolini. “An approach to
output-feedback MPC of stochastic linear discrete-time systems”. In: Automatica 55 (2015),
pp. 140–149. issn: 0005-1098. doi: https://doi.org/10.1016/j.automatica.2015.02.039.
[55] Ioannis Filippidis and Richard M. Murray. “Layering Assume-Guarantee Contracts for
Hierarchical System Design”. In: Proceedings of the IEEE 106.9 (2018), pp. 1616–1654. doi:
10.1109/JPROC.2018.2834926.
[56] Hajime Fujita, Yutaka Matsuno, Toshihiro Hanawa, Mitsuhisa Sato, Shinpei Kato, and
Yutaka Ishikawa. “DS-Bench Toolset: Tools for dependability benchmarking with simulation and
assurance”. In: International conference on dependable systems and networks. IEEE. 2012, pp. 1–8.
[57] Andrew Gacek, John Backes, Darren D. Cofer, Konrad Slind, and Mike Whalen. “Resolute: An
Assurance Case Language for Architecture Models”. In: SIGAda annual conference on High
integrity language technology. 2014, pp. 19–28.
[58] Haim Gaifman. “Concerning measures in first order calculi”. In: Israel Journal of Mathematics 2.1
(Mar. 1964), pp. 1–18. issn: 1565-8511.
[59] Shromona Ghosh, Dorsa Sadigh, Pierluigi Nuzzo, Vasumathi Raman, Alexandre Donzé,
Alberto L. Sangiovanni-Vincentelli, S. Shankar Sastry, and Sanjit A. Seshia. “Diagnosis and Repair
for Synthesis from Signal Temporal Logic Specifications”. In: Proceedings of the 19th International
Conference on Hybrid Systems: Computation and Control. HSCC ’16. Vienna, Austria: Association
for Computing Machinery, 2016, pp. 31–40. isbn: 9781450339551. url:
https://doi.org/10.1145/2883817.2883847.
[60] D. Giannakopoulou, C.S. Pasareanu, and J.M. Cobleigh. “Assume-guarantee verification of source
code with design-level assumptions”. In: Proceedings. 26th International Conference on Software
Engineering. 2004, pp. 211–220. doi: 10.1109/ICSE.2004.1317443.
[61] Steven Gillijns and Bart De Moor. “Unbiased minimum-variance input and state estimation for
linear discrete-time systems”. In: Automatica 43.1 (2007), pp. 111–116. issn: 0005-1098. doi:
https://doi.org/10.1016/j.automatica.2006.08.002.
124

[62] Susanne Graf, Roberto Passerone, and Sophie Quinton. “Contract-Based Reasoning for
Component Systems with Rich Interactions”. In: Embedded Systems Development, From Functional
Models to Implementations. 2014, pp. 139–154.
[63] Patrick J. Graydon and C. Michael Holloway. “An investigation of proposed techniques for
quantifying confidence in assurance arguments”. In: Safety Science (2017).
[64] The Assurance Case Working Group. “Goal Structuring Notation Community Standard (Version
2)”. In: (2018).
[65] The Assurance Case Working Group. “Goal Structuring Notation Community Standard (Version
3)”. In: (2021).
[66] LLC Gurobi Optimization. Gurobi Optimizer Reference Manual. 2019. url: http://www.gurobi.com.
[67] Theodore Hailperin. “Probability logic.” In: Notre Dame Journal of Formal Logic 25.3 (1984),
pp. 198–212.
[68] Pierre Hansen, Brigitte Jaumard, and Gilles Savard. “New Branch-and-Bound Rules for Linear
Bilevel Programming”. In: SIAM Journal on Scientific and Statistical Computing 13.5 (1992),
pp. 1194–1217. doi: 10.1137/0913069. eprint: https://doi.org/10.1137/0913069.
[69] Richard Hawkins, Ibrahim Habli, Dimitris Kolovos, Richard Paige, and Tim Kelly. “Weaving an
assurance case from design: a model-based approach”. In: Int. Symp. on High Assurance Systems
Engineering. 2015.
[70] Chris Hobbs and Martin Lloyd. “The Application of Bayesian Belief Networks to Assurance Case
Preparation”. In: Achieving Systems Safety. Springer London, 2012.
[71] C Michael Holloway. “Explicate’78: Uncovering the implicit assurance case in DO-178C”. In:
Safety-Critical Systems Symposium (2015).
[72] C Michael Holloway. “Understanding the Overarching Properties”. In: (2019).
[73] I Incer. “The algebra of contracts”. PhD thesis. Ph. D. thesis, EECS Department, University of
California, Berkeley, 2022.
[74] Finn V. Jensen. Introduction to Bayesian Networks. 1st. Berlin, Heidelberg: Springer-Verlag, 1996.
isbn: 0387915028.
[75] Susmit Jha, Vasumathi Raman, Dorsa Sadigh, and Sanjit A. Seshia. “Safe Autonomy Under
Perception Uncertainty Using Chance-Constrained Temporal Logic”. In: Journal of Automated
Reasoning 60.1 (Jan. 2018), pp. 43–62. issn: 1573-0670.
[76] Audun Jøsang. “A Logic for Uncertain Probabilities”. In: Int. J. Uncertain. Fuzziness Knowl.-Based
Syst. (2001).
125

[77] Hadas Kress-Gazit, Georgios E. Fainekos, and George J. Pappas. “Temporal-Logic-Based Reactive
Mission and Motion Planning”. In: IEEE Transactions on Robotics 25.6 (2009), pp. 1370–1381. doi:
10.1109/TRO.2009.2030225.
[78] Panagiotis Kyriakis, Jyotirmoy V. Deshmukh, and Paul Bogdan. “Specification Mining and Robust
Design Under Uncertainty: A Stochastic Temporal Logic Approach”. In: ACM Trans. Embed.
Comput. Syst. 18.5s (Oct. 2019), 96:1–96:21. issn: 1539-9087.
[79] Jiwei Li, Pierluigi Nuzzo, Alberto Sangiovanni-Vincentelli, Yugeng Xi, and Dewei Li. “Stochastic
Contracts for Cyber-Physical System Design under Probabilistic Requirements”. In: Proceedings of
the 15th ACM-IEEE International Conference on Formal Methods and Models for System Design.
MEMOCODE ’17. Vienna, Austria: ACM, 2017, pp. 5–14. isbn: 9781450350938.
[80] Ricardo M. Lima and Ignacio E. Grossmann. “Computational advances in solving Mixed Integer
Linear Programming problems”. In: (Jan. 2011). doi: 10.1184/R1/6466835.v1.
[81] Lars Lindemann and Dimos V. Dimarogonas. “Robust motion planning employing signal
temporal logic”. In: 2017 American Control Conference (ACC). 2017, pp. 2950–2955. doi:
10.23919/ACC.2017.7963399.
[82] Lars Lindemann, George J. Pappas, and Dimos V. Dimarogonas. “Control Barrier Functions for
Nonholonomic Systems under Risk Signal Temporal Logic Specifications”. In: 2020 59th IEEE
Conference on Decision and Control (CDC). 2020, pp. 1422–1428. doi:
10.1109/CDC42340.2020.9304056.
[83] Zhiyu Liu, Jin Dai, Bo Wu, and Hai Lin. “Communication-aware motion planning for multi-agent
systems from signal temporal logic specifications”. In: 2017 American Control Conference (ACC).
2017, pp. 2516–2521. doi: 10.23919/ACC.2017.7963331.
[84] Oded Maler and Dejan Nickovic. “Monitoring Temporal Properties of Continuous Signals”. In:
Formal Techniques, Modelling and Analysis of Timed and Fault-Tolerant Systems. Ed. by
Yassine Lakhnech and Sergio Yovine. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004,
pp. 152–166. isbn: 978-3-540-30206-3.
[85] Oded Maler and Dejan Nickovic. “Monitoring temporal properties of continuous signals”. In:
Formal Techniques, Modelling and Analysis of Timed and Fault-Tolerant Systems. Springer, 2004,
pp. 152–166.
[86] Shahar Maoz and Jan Oliver Ringert. “GR(1) Synthesis for LTL Specification Patterns”. In:
Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering. ESEC/FSE 2015.
Bergamo, Italy: Association for Computing Machinery, 2015, pp. 96–106. isbn: 9781450336758.
doi: 10.1145/2786805.2786824.
[87] Yutaka Matsuno. “D-Case Editor: A typed assurance case editor”. In: University of Tokyo (2011).
[88] Mobileye. The Mobileye Safety Methodology. 2021. url:
https://www.mobileye.com/safety-methodology/.
126

[89] Sunil Nair, Neil Walkinshaw, and Tim Kelly. “Quantifying Uncertainty in Safety Cases Using
Evidential Reasoning”. In: Computer Safety, Reliability, and Security. Ed. by Andrea Bondavalli,
Andrea Ceccarelli, and Frank Ortmeier. Cham: Springer, 2014, pp. 413–418. isbn:
978-3-319-10557-4.
[90] Alessia Napoleone, Marco Macchi, and Alessandro Pozzetti. “A review on the characteristics of
cyber-physical systems for the future smart factories”. In: Journal of Manufacturing Systems 54
(2020), pp. 305–335. issn: 0278-6125. doi: https://doi.org/10.1016/j.jmsy.2020.01.007.
[91] National Science Foundation. Cyber-Physical Systems. url:
https://www.nsf.gov/news/special_reports/cyber-physical/.
[92] R.E. Neapolitan and R.E. Neapolitan. Learning Bayesian Networks. Pearson Prentice Hall, 2004.
[93] Damir Nešić, Mattias Nyberg, and Barbara Gallina. “Product-line assurance cases from
contract-based design”. In: Journal of Systems and Software 176 (2021), p. 110922.
[94] Nils J. Nilsson. “Probabilistic logic”. In: Artificial Intelligence 28.1 (1986), pp. 71–87. issn:
0004-3702.
[95] Matt Novak. “68% Of Americans Afraid Of Self-Driving Cars, Up From 55% In 2022”. In: Forbes
(Mar. 2023). url: https://www.forbes.com/sites/mattnovak/2023/03/02/68-of-americans-afraidof-self-driving-cars-up-from-55-in-2022/?sh=50463cb64ddd.
[96] P. Nuzzo, M. Lora, Y. A. Feldman, and A. L. Sangiovanni-Vincentelli. “CHASE: Contract-based
requirement engineering for cyber-physical system design”. In: 2018 Design, Automation Test in
Europe Conference Exhibition (DATE). Mar. 2018, pp. 839–844.
[97] P. Nuzzo, A. L. Sangiovanni-Vincentelli, D. Bresolin, L. Geretti, and T. Villa. “A Platform-Based
Design Methodology With Contracts and Related Tools for the Design of Cyber-Physical
Systems”. In: Proceedings of the IEEE 103.11 (Nov. 2015), pp. 2104–2132.
[98] Pierluigi Nuzzo. “Compositional Design of Cyber-Physical Systems Using Contracts (PhD
dissertation)”. PhD thesis. University of California, Berkeley, 2015.
[99] Pierluigi Nuzzo, John B. Finn, Antonio Iannopollo, and Alberto L. Sangiovanni-Vincentelli.
“Contract-based design of control protocols for safety-critical cyber-physical systems”. In: 2014
Design, Automation Test in Europe Conference Exhibition (DATE). Mar. 2014, pp. 1–4. doi:
10.7873/DATE.2014.072.
[100] Pierluigi Nuzzo, Jiwei Li, Alberto L. Sangiovanni-Vincentelli, Yugeng Xi, and Dewei Li.
“Stochastic Assume-Guarantee Contracts for Cyber-Physical System Design”. In: ACM Trans.
Embed. Comput. Syst. 18.1 (Jan. 2019). issn: 1539-9087. doi: 10.1145/3243216.
[101] Pierluigi Nuzzo, Alberto Sangiovanni-Vincentelli, Davide Bresolin, Luca Geretti, and
Tiziano Villa. “A Platform-Based Design Methodology with Contracts and Related Tools for the
Design of Cyber-Physical Systems”. In: Proc. IEEE 103.11 (Nov. 2015).
127

[102] Pierluigi Nuzzo, Huan Xu, Necmiye Ozay, John B. Finn, Alberto L. Sangiovanni-Vincentelli,
Richard M. Murray, Alexandre Donzé, and Sanjit A. Seshia. “A Contract-Based Methodology for
Aircraft Electric Power System Design”. In: IEEE Access 2 (Jan. 2014), pp. 1–25. doi:
10.1109/ACCESS.2013.2295764.
[103] Pierluigi Nuzzo, Huan Xu, Necmiye Ozay, John B. Finn, Alberto L. Sangiovanni-Vincentelli,
Richard M. Murray, Alexandre Donzé, and Sanjit A. Seshia. “A contract-based methodology for
aircraft electric power system design”. In: IEEE Access 2 (2014), pp. 1–25.
[104] Chanwook Oh, Eunsuk Kang, Shinichi Shiraishi, and Pierluigi Nuzzo. “Optimizing
Assume-Guarantee Contracts for Cyber-Physical System Design”. In: 2019 Design, Automation &
Test in Europe Conference & Exhibition (DATE). 2019, pp. 246–251. doi:
10.23919/DATE.2019.8715284.
[105] Chanwook Oh, Michele Lora, and Pierluigi Nuzzo. “Quantitative verification and design space
exploration under uncertainty with parametric stochastic contracts”. In: Proceedings of the 41th
International Conference on Computer-Aided Design. ICCAD ’22. San Diego, CA, USA, 2022.
[106] Chanwook Oh, Nikhil Naik, Zamira Daw, Timothy E. Wang, and Pierluigi Nuzzo. “ARACHNE:
Automated Validation of Assurance Cases with Stochastic Contract Networks”. In: Computer
Safety, Reliability, and Security. Springer, 2022, pp. 65–81.
[107] And Ganesh Pai. “AACE: Automated assurance case environment for aerospace certification”. In:
IEEE/AIAA 42nd Digital Avionics Systems Conference (DASC). IEEE. 2023.
[108] And Ganesh Pai. “Computer-aided evaluation for argument-based certification”. In: IEEE/AIAA
42nd Digital Avionics Systems Conference (DASC). IEEE. 2023.
[109] Corina S. Păsăreanu, Matthew B. Dwyer, and Michael Huth. “Assume-Guarantee Model Checking
of Software: A Comparative Case Study”. In: Theoretical and Practical Aspects of SPIN Model
Checking. Ed. by Dennis Dams, Rob Gerth, Stefan Leue, and Mieke Massink. Berlin, Heidelberg:
Springer Berlin Heidelberg, 1999, pp. 168–183. isbn: 978-3-540-48234-5.
[110] Judea Pearl. Probabilistic reasoning in intelligent systems: networks of plausible inference. Morgan
kaufmann, 1988.
[111] Yan Pei, Swarnendu Biswas, Donald S. Fussell, and Keshav Pingali. “An Elementary Introduction
to Kalman Filtering”. In: Commun. ACM 62.11 (Oct. 2019), pp. 122–133. issn: 0001-0782. doi:
10.1145/3363294.
[112] A. Piovesan and E. Griffor. “7 - Reasoning About Safety and Security: The Logic of Assurance”. In:
Handbook of System Safety and Security. Ed. by Edward Griffor. Boston: Syngress, 2017,
pp. 113–129. isbn: 978-0-12-803773-7. doi: https://doi.org/10.1016/B978-0-12-803773-7.00007-3.
[113] Nir Piterman, Amir Pnueli, and Yaniv Sa’ar. “Synthesis of Reactive(1) Designs”. In: Verification,
Model Checking, and Abstract Interpretation. Ed. by E. Allen Emerson and Kedar S. Namjoshi.
Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 364–380. isbn: 978-3-540-31622-0.
128

[114] A. Pnueli and R. Rosner. “On the Synthesis of a Reactive Module”. In: Proceedings of the 16th ACM
SIGPLAN-SIGACT Symposium on Principles of Programming Languages. POPL ’89. Austin, Texas,
USA: Association for Computing Machinery, 1989, pp. 179–190. isbn: 0897912942. doi:
10.1145/75277.75293.
[115] Amir Pnueli. “The temporal logic of programs”. In: 18th Annual Symposium on Foundations of
Computer Science (sfcs 1977). 1977, pp. 46–57.
[116] Shreyas Ramakrishna, Charles Hartsell, Abhishek Dubey, Partha Pal, and Gabor Karsai. “A
Methodology for Automating Assurance Case Generation”. In: arXiv preprint arXiv:2003.05388
(2020).
[117] Vasumathi Raman, Alexandre Donzé, Mehdi Maasoumy, Richard M. Murray,
Alberto L. Sangiovanni-Vincentelli, and Sanjit A. Seshia. “Model Predictive Control for Signal
Temporal Logic Specification”. In: CoRR abs/1703.09563 (2017). arXiv: 1703.09563. url:
http://arxiv.org/abs/1703.09563.
[118] Vasumathi Raman, Alexandre Donzé, Dorsa Sadigh, Richard M. Murray, and Sanjit A. Seshia.
“Reactive Synthesis from Signal Temporal Logic Specifications”. In: Proceedings of the 18th
International Conference on Hybrid Systems: Computation and Control. HSCC ’15. Seattle,
Washington: Association for Computing Machinery, 2015, pp. 239–248. isbn: 9781450334334. doi:
10.1145/2728606.2728628.
[119] Special C. RTCA. DO-178C, Software Considerations in Airborne Systems and Equipment
Certification. 2011.
[120] John Rushby. “Formalism in safety cases”. In: Making Systems Safer. Springer, 2010.
[121] John Rushby. The Interpretation and Evaluation of Assurance Cases. Tech. rep. Computer Science
Laboratory, SRI International, 2015.
[122] Dorsa Sadigh and Ashish Kapoor. “Safe Control under Uncertainty with Probabilistic Signal
Temporal Logic”. In: Proceedings of Robotics: Science and Systems. RSS ’16. Ann Arbor, Michigan,
2016.
[123] Alberto Sangiovanni-Vincentelli, Werner Damm, and Roberto Passerone. “Taming Dr.
Frankenstein: Contract-Based Design for Cyber-Physical Systems”. In: European Journal of
Control 18.3 (2012), pp. 217–238.
[124] Alberto Sangiovanni-Vincentelli, Werner Damm, and Roberto Passerone. “Taming Dr.
Frankenstein: Contract-Based Design for Cyber-Physical Systems”. In: European Journal of
Control 18.3 (2012), pp. 217–238. issn: 0947-3580.
[125] Sanjit A. Seshia, Shiyan Hu, Wenchao Li, and Qi Zhu. “Design Automation of Cyber-Physical
Systems: Challenges, Advances, and Opportunities”. In: IEEE Transactions on Computer-Aided
Design of Integrated Circuits and Systems 36.9 (2017), pp. 1421–1434. doi:
10.1109/TCAD.2016.2633961.
129

[126] Shai Shalev-Shwartz, Shaked Shammah, and Amnon Shashua. “On a formal model of safe and
scalable self-driving cars”. In: arXiv preprint arXiv:1708.06374 (2017).
[127] Natarajan Shankar, Devesh Bhatt, Michael Ernst, Minyoung Kim, Srivatsan Varadarajan,
Suzanne Millstein, Jorge Navas, Jason Biatek, Huascar Sanchez, Anitha Murugesan, and Hao Ren.
“DesCert: Design for Certification”. In: arXiv preprint arXiv:2203.15178 (2022).
[128] Tomoji Shogenji. “The degree of epistemic justification and the conjunction fallacy”. en. In:
Synthese 184.1 (Jan. 2012), pp. 29–48. issn: 0039-7857, 1573-0964. doi: 10.1007/s11229-009-9699-1.
[129] Singapore Traffic Police. Basic Theory of Driving: The Official Handbook. 10th ed. 2020. url:
https://www.police.gov.sg/-/media/Spf/Files/TP/Online-Learning-Portal/ENG-BTT-pdf-filelast-updated-Mar-2020.pdf.
[130] Singapore Traffic Police. Final Theory of Driving: The Official Handbook. 9th ed. 2017. url:
https://www.police.gov.sg/-/media/Spf/Files/TP/Online-Learning-Portal/FT-ENG-9th-Edition130717.ashx.
[131] Ankur Sinha, Pekka Malo, and Kalyanmoy Deb. “A Review on Bilevel Optimization: From
Classical to Evolutionary Approaches and Applications”. In: IEEE Transactions on Evolutionary
Computation 22.2 (2018), pp. 276–295.
[132] A. P. Sistla and E. M. Clarke. “The complexity of propositional linear temporal logics”. In: J. ACM
32.3 (July 1985), pp. 733–749. issn: 0004-5411. doi: 10.1145/3828.3837.
[133] Irfan Sljivo, Barbara Gallina, Jan Carlson, Hans Hansson, and Stefano Puri. “Tool-supported
safety-relevant component reuse: From specification to argumentation”. In: Ada-Europe
International Conference on Reliable Software Technologies. Springer. 2018, pp. 19–33.
[134] Irfan Šljivo, Garazi Juez Uriagereka, Stefano Puri, and Barbara Gallina. “Guiding assurance of
architectural design patterns for critical applications”. In: Journal of Systems Architecture 110
(2020), p. 101765. issn: 1383-7621. doi: https://doi.org/10.1016/j.sysarc.2020.101765.
[135] Stefano Spellini, Michele Lora, Franco Fummi, and Sudipta Chattopadhyay. “Compositional
Design of Multi-Robot Systems Control Software on ROS”. In: ACM Trans. Embed. Comput. Syst.
18.5s (Oct. 2019). issn: 1539-9087. doi: 10.1145/3358197.
[136] International Organization for Standardization. ISO 26262-1:2018 Road vehicles — Functional safety
— Part 1: Vocabulary. https://www.iso.org/standard/68383.html. 2018 (accessed October 23rd,
2020).
[137] Eugene W. Stark. “A Proof Technique for Rely/Guarantee Properties”. In: FSTTCS. 1985.
[138] Xiaowu Sun, Rohitkrishna Nambiar, Matthew Melhorn, Yasser Shoukry, and Pierluigi Nuzzo.
“DoS-Resilient Multi-Robot Temporal Logic Motion Planning”. In: 2019 International Conference
on Robotics and Automation (ICRA). 2019, pp. 6051–6057. doi: 10.1109/ICRA.2019.8794477.
130

[139] Katya Tentori, Vincenzo Crupi, Nicolao Bonini, and Daniel Osherson. “Comparison of
confirmation measures”. en. In: Cognition 103.1 (Apr. 2007), pp. 107–119. issn: 00100277. doi:
10.1016/j.cognition.2005.09.006.
[140] The Assurance Case Working Group. Goal Structuring Notation Community Standard (Version 3).
https://scsc.uk/r141C. 2021.
[141] Marcell J. Vazquez-Chanlatte, Shromona Ghosh, Vasumathi Raman,
Alberto Sangiovanni-Vincentelli, and Sanjit A. Seshia. “Generating Dominant Strategies for
Continuous Two-Player Zero-Sum Games”. In: IFAC-PapersOnLine 51.16 (2018). 6th IFAC
Conference on Analysis and Design of Hybrid Systems ADHS 2018, pp. 7–12. issn: 2405-8963.
doi: https://doi.org/10.1016/j.ifacol.2018.08.002.
[142] K. Verbert, R. Babuška, and B. De Schutter. “Bayesian and Dempster–Shafer reasoning for
knowledge-based fault diagnosis–A comparative study”. In: Engineering Applications of Artificial
Intelligence 60 (2017), pp. 136–150. issn: 0952-1976. doi:
https://doi.org/10.1016/j.engappai.2017.01.011.
[143] Kim Verbert, R Babuška, and Bart De Schutter. “Bayesian and Dempster–Shafer reasoning for
knowledge-based fault diagnosis–A comparative study”. In: Engineering Applications of Artificial
Intelligence (2017).
[144] L. Vicente, G. Savard, and J. Júdice. “Descent Approaches for Quadratic Bilevel Programming”. In:
J. Optim. Theory Appl. 81.2 (May 1994), pp. 379–399. issn: 0022-3239.
[145] Timothy E. Wang, Zamira Daw, Pierluigi Nuzzo, and Alessandro Pinto. “Hierarchical
Contract-Based Synthesis for Assurance Cases”. In: NASA Formal Methods. Springer, 2022,
pp. 175–192. isbn: 978-3-031-06773-0.
[146] Timothy E. Wang, Chanwook Oh, Matthew Low, Isaac Amundson, Zamira Daw,
Alessandro Pinto, Massimiliano L. Chiodo, Guoqiang Wang, Saqib Hasan, Ryan Melville, and
Pierluigi Nuzzo. “Computer-Aided Generation of Assurance Cases”. In: Computer Safety,
Reliability, and Security. SAFECOMP 2023 Workshops. Ed. by Jérémie Guiochet, Stefano Tonetta,
Erwin Schoitsch, Matthieu Roy, and Friedemann Bitsch. Cham: Springer Nature Switzerland,
2023, pp. 135–148. isbn: 978-3-031-40953-0.
[147] Greg Welch and Gary Bishop. An introduction to the Kalman filter. Tech. rep. TR 95-041, 2006.
[148] Guanghui Wen, Zhisheng Duan, Wenwu Yu, and Guanrong Chen. “Research Article”.
Undetermined. In: International Journal of Robust and Nonlinear Control 22.2 (Dec. 2011),
pp. 170–182. doi: 10.1002/rnc.1687.
[149] Wayne L. Winston. Operations Research: Applications & Algorithms. Thomson Business Press,
2008. isbn: 9788131501900.
[150] IJ Wod. “Weight of evidence: A brief survey”. In: Bayesian statistics 2 (1985), pp. 249–270.
[151] S. Yamamoto. “Assuring Security through Attribute GSN”. In: 2015 5th International Conference on
IT Convergence and Security (ICITCS). 2015, pp. 1–5. doi: 10.1109/ICITCS.2015.7292954.
131

[152] Pian Yu and Dimos V. Dimarogonas. “Distributed Motion Coordination for Multirobot Systems
Under LTL Specifications”. In: IEEE Transactions on Robotics (2021), pp. 1–16. doi:
10.1109/TRO.2021.3088764.
[153] Xiao Yuan, Chimay Anumba, and M. Parfitt. “Review of the Potential for a Cyber-Physical System
Approach to Temporary Structures Monitoring”. In: International Journal of Architectural
Research: ArchNet-IJAR 9 (Nov. 2015), pp. 26–44. doi: 10.26687/archnet-ijar.v9i3.841.
[154] Xingyu Zhao, Dajian Zhang, Minyan Lu, and Fuping Zeng. “A New Approach to Assessment of
Confidence in Assurance Cases”. In: Computer Safety, Reliability, and Security. Berlin, Heidelberg:
Springer Berlin Heidelberg, 2012, pp. 79–91.
[155] Kemin Zhou, John Comstock Doyle, Keith Glover, et al. Robust and optimal control. Vol. 40.
Prentice hall New Jersey, 1996.
132

Abstract (if available)

Abstract Cyber-physical systems (CPSs) are integration of computation and control with physical processes of different nature via sensing and actuation platforms. As CPSs increasingly perform sophisticated, mission-critical tasks previously carried out by humans, a major challenge in their design is to ensure that they execute the desired tasks while adhering to stringent safety and dependability requirements in uncertain and unpredictable environments.

This dissertation addresses this challenge by proposing novel specification, verification, and design methods using assume-guarantee (A/G) contracts. Contracts are a specification formalism that allows distinguishing between the behaviors a component promises (guarantees) and the ones it expects from the environment (assumptions). By virtue of their rigorous algebra, contracts enable scalable, modular reasoning about a system’s behaviors via abstraction and decomposition. To date, however, A/G contract frameworks have primarily been centered on discrete models and Boolean, qualitative notions of satisfaction.

In this dissertation, we propose two extensions of the existing contract frameworks to support continuous and hybrid system models as well as robust, quantitative notions of satisfaction and refinement in the presence of uncertainty. We first introduce reward contracts, which enable capturing the preferred behaviors of an agent (objectives) in addition to its admissible behaviors (assumptions and guarantees). We use signal temporal logic to express contract assumptions and guarantees and provide effective optimization-based encodings of contract-based verification and synthesis problems for both cooperative and non-cooperative multi-agent settings. We further introduce stochastic contracts, leveraging stochastic signal temporal logic to enable compositional reasoning in the presence of uncertainty. We present quantitative notions of contract satisfaction and contract refinement, investigate formulations of robust verification and design space exploration problems with stochastic contracts as bi-level optimization problems, and provide effective solution strategies for a class of stochastic systems. Finally, we show how contracts can facilitate the manual and error-prone task of checking system compliance with regulatory standards and system requirements. We present a contract-based method for the automated generation and evaluation of assurance arguments about system correctness and dependability. We formalize an assurance argument as a network of interconnected stochastic contracts and provide a coordinated approach that combines logic and Bayesian reasoning to assess its logical validity and the associated risk. Overall, the proposed extensions show how contracts can serve as a formal foundation for high-assurance design as well as rapid, continuous certification of CPSs.

Linked assets

University of Southern California Dissertations and Theses

Conceptually similar

PDF

Data-driven and logic-based analysis of learning-enabled cyber-physical systems

PDF

Security-driven design of logic locking schemes: metrics, attacks, and defenses

PDF

Verification, learning and control in cyber-physical systems

PDF

Learning logical abstractions from sequential data

PDF

Scaling control synthesis and verification in autonomy using neuro-symbolic methods

PDF

Formal analysis of data poisoning robustness of K-nearest neighbors

PDF

A polynomial chaos formalism for uncertainty budget assessment

PDF

Constraint based analysis for persistent memory programs

PDF

Sample-efficient and robust neurosymbolic learning from demonstrations

PDF

Differential verification of deep neural networks

PDF

Power optimization of asynchronous pipelines using conditioning and reconditioning based on a three-valued logic model

PDF

Graph machine learning for hardware security and security of graph machine learning: attacks and defenses

PDF

Static program analyses for WebAssembly

PDF

Algorithm and system co-optimization of graph and machine learning systems

PDF

Risk assessment, intrinsic interpolation and computationally efficient models for systems under uncertainty

PDF

Biological geometry-aware deep learning frameworks for enhancing medical cyber-physical systems

PDF

Theoretical and computational foundations for cyber‐physical systems design

PDF

The next generation of power-system operations: modeling and optimization innovations to mitigate renewable uncertainty

PDF

Custom hardware accelerators for boolean satisfiability

PDF

Theoretical foundations and design methodologies for cyber-neural systems

Asset Metadata

Creator Oh, Chanwook (author)

Core Title Assume-guarantee contracts for assured cyber-physical system design under uncertainty

School Viterbi School of Engineering

Degree Doctor of Philosophy

Degree Program Computer Engineering

Degree Conferral Date 2024-08

Publication Date 08/28/2024

Defense Date 08/28/2024

Publisher Los Angeles, California (original), University of Southern California (original), University of Southern California. Libraries (digital)

Tag assume-guarantee contracts,assurance cases,cyber-physical systems,formal verification,OAI-PMH Harvest,temporal logic,uncertainty quantification

Format theses (aat)

Language English

Contributor Electronically uploaded by the author (provenance)

Advisor Nuzzo, Pierluigi (committee chair), Jain, Rahul (committee member), Wang, Chao (committee member)

Creator Email chanwook128@gmail.com,chanwooo@usc.edu

Permanent Link (DOI) https://doi.org/10.25549/usctheses-oUC113999U1L

Unique identifier UC113999U1L

Identifier etd-OhChanwook-13443.pdf (filename)

Legacy Identifier etd-OhChanwook-13443

Document Type Dissertation

Format theses (aat)

Rights Oh, Chanwook

Internet Media Type application/pdf

Type texts

Source 20240828-usctheses-batch-1203 (batch), University of Southern California (contributing entity), University of Southern California Dissertations and Theses (collection)

Access Conditions The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the author, as the original true and official version of the work, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.

Repository Name University of Southern California Digital Library

Repository Location USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA

Repository Email cisadmin@lib.usc.edu